PakSecured Installation & Configuration

Minimum System Requirements

Pentium Processor

16MB RAM

1 GByte (or larger) IDE Harddrive

Network Interface Card

Bootable CD-ROM or 3.5" floppy drive


Phase I - Initial Files Install

The installation of PakSecured Linux will destroy any data you have on your harddrive. Make sure that you have a new harddrive or that you have backed up all critical data from your existing harddrive. Once you are ready to proceed, collect the following information as it will be necessary for the installation:

* IP address in CIDR notation for your server

Ex: 192.168.1.1/24


* IP address of your default router

Ex: 192.168.1.254

Note that this can be set to the interface address if you do not have a default router


* IP address of your nameserver

Ex: 192.168.1.128

As with the router this can be set to the interface address


* FQDN (Fully Qualified Domain Name) for this server

Ex: paksecured.mynet.com


* Root user password


You must have and supply all of this information on the appropriate screen. The way the install is designed if you do not provide any single part of this information the install routine will assume that you do not want to continue and will stop the installation process. However your harddisk will have already been partitioned.

CDROM Install Process


1. Boot from the CD

2. Press enter at the LILO prompt to start

3. When prompted for "Select Installation Media" select CDROM.

At this point in the installation process, the CDROM is mounted, and the harddrive is partitioned as follows:

hda1 is 128MB swap

hda2 is 750MB for /

hda3 is 250MB for /var

4. You will then be prompted to enter your networking information.

Enter in all of the information you collected above.

5. PakSecured Linux is installed on the drive.

6. When the installation is finished supply the root password

After providing the root user password lilo will be installed and the CDROM will be ejected. At this point the system will ask you to reboot. Press enter and then continue on to the next phase.



HTTP/FTP Install Process


1. Boot install floppy (disk1-boot.img)

2. Press enter at the LILO prompt to start

3. When prompted for "Select Installation Media" select http/ftp

You will then be prompted to enter the driver floppy disk (disk2-drivers.img).

4. Enter your networking information.

If you do not have a default router enter in your local interface. You will need to have already setup a webserver on that network.

5. Select the location of the PakSecured image file

ex: http://207.91.34.213/software/paksecured.tar.bz2

If you have setup your own server note that you MUST use the IP address of that server and that the server needs to respond on that address. There is no DNS capability at this point in the install.

6. PakSecured Linux is installed on the drive.

7. When the installation is finished supply the root password

After providing the root user password lilo will be installed and you need to remove all floppy disks from the drives. The system will request confirmation of reboot and continue into the next phase of the install.



Phase II - Kernel Configuration

Once the initial files install is completed you will be prompted to reboot the PC. Remove all disks and CDs from the drives and press enter to reboot. The system will come up automatically into the menuconfig kernel configuration screen. Select all the relevant network card drivers and other devices needed for your system. At a minimum you will only need to select your network card driver. All other options needed for running PakSecured are already selected.

*** Warning ***

Do Not Change any of the already selected options especially in the networking sections unless you REALLY KNOW what you are doing. Deselecting some of the options in the kernel configuration could cause your system to be completely useless.

***************



Minimum Kernel configuration

The system will boot straight into "Make Menuconfig", so that you may select the appropriate network drivers for your kernel.

Select "Network Device Support" from the menu.

Select "Ethernet (10 or 100Mbit) (or TokenRing or ...)

Now select the drivers for all your network interface cards.

Select "Exit" twice.

When prompted to save your configuration select "Yes"

Your kernel will be compiled and installed automatically

The system will automatically compile and install the kernel and all modules needed for operation. After this is done the system will reboot to use the newly compiled kernel.



Final Phase - PakSecured Configuration


Once the system has rebooted with your new kernel image you will be given a standard login prompt. You may now login as root to the system. Note that as part of the previous installation phases several parts of the system were configured. These are as follows.

A user called "tech" was created

Tech has the password you assigned in the install

tech's ssh keys were generated

System SSH keys were generated

The basic networking as entered in the install process was configured.

You will now want to perform any advanced configuration of the system. The initial networking values you entered during the install process have already been saved, so you should have device eth0 already functional. You can check this by entering the following commands:

--> ip addr (will show the address you entered for eth0)

--> ip route (will show the route for the gateway you entered)

Note that this system does not have ifconfig or route installed. The only networking utilities are ip, tc, and the set from Alexey's iputils package.

PakSecured is designed to allow for simple operation through a global firewall system configuration file. All standard networking is performed through standard independent configuration files such as listed below. Within the global configuration file is allowance for calling scripts to perform advanced policy routing structures. The following listing provides some of the relevant files for configuring and maintaining the system.

Networking configuration files and the advanced policy scripts are located in /etc/sysconfig/network-scripts/.

Within this directory are the ip4cfg-{network} configuration files for the network interface cards. You should already have an ip4cfg-eth0 in this directory from the install.

There is a sample-ip4cfg provided as a template to configure any other interfaces you may need. (ip4cfg-eth1, ip4cfg-tr0, ...) Note that you cannot use the ip4cfg-* files from any other distribution as they do not use Policy Routing.

The routes needed for the system on startup are contained within the ip4cfg-routes file in this directory as well. Look inside that file for the current routing setup and some samples for additional routes.

Also within this directory are some sample files for performing advanced policy routing structures. The mail.fw file is a simple single machine policy for allowing a unique route for a single machine. Note that this file also contains the commands for setting up the firewalling functions that are associated with the policy.

On the CD you can find some advanced configuration files that implement parts of the book examples. These files would be placed into this directory for use.

pakfw.config

The global configuration file for the firewall part of the system is the pakfw.config file located in /etc/sysconfig. The file is commented. Note that many of the sections in the file contain loop structures. This is one of the more powerful uses of the configuration structures. To best illustrate how it works consider the final section, MISC.

MISC_HIGH=0

MISC0="mail.fw"

MISC1=""

MISC2=""


As you can see there are variables that are numbered consecutively. These are the actual run variables. In this case the MISC0 variable contains the name mail.fw. The loop variable is the MISC_HIGH variable.

When the loop variable is set to 0 as it is here then this section is deactivated even if the global logic variable MISC (located at the top of pakfw.config) is set. This loop variable controls the number of procedures that would be run. So if you want to run the mail.fw script you can set the MISC_HIGH variable to 1. Note that this is one greater than the number of the variable. This is where the looping comes in. Say you wanted to code up all 8 examples from Chapter 5 of Policy Routing with LInux to run as MISC additions. Then you would set the loop variable MISC_HIGH to 9 and place the names of the files you created to run the examples in the appropriate lines. You may end up with a MISC section that looks like this.

MISC_HIGH=9

MISC0="example5.1"

MISC1="example5.2"

MISC2="example5.3"

MISC3="example5.4"

MISC4="example5.5"

MISC5="example5.6"

MISC6="example5.7"

MISC7="example5.8"


Now the fun part is that you can also set the loop variable to 3 in which case you would only run examples 5.1 - 5.3.

These variables control the information needed to run the system. If you want to see how these variables are used look in the function definitions. These are located in /etc/rc.d/init.d and are the pakfw.functions and pakvpn.functions files. There are other function definitions that are located in /etc/sysconfig/network-scripts.

Enjoy your PakSecured system.