This document should be read in conjunction with the Edge Documentation and the Edge mailing list archives . Please look at these documents before posting to the Edge mailing list..
Edge is a firewall implementation using Thin Linux, with the objective of allowing re-use of otherwise obsolete PC hardware.
You need hardware and software. See the Edge web site at http://edge.fireplug.net for all the relevant info and software downloads.
You are getting it right now ! - Edge is supported by the Edge mailing list. Posting a question will typically get you a reply within a few hours - sometimes minutes. Unless you are trying a very new version, it's likely your question has already been asked and answered, so check out the mailing list archives as well.
This is the most common problem I have seen and it prompted me to write the EDGE 0.7 Gateway Configuration Mini-HOWTO which contains step by step instructions to resolving this problem.
This is usually due to one or more of the following:-
in.telnetd: error in loading shared libraries
libncurses.so.3.4: cannot open shared object file: No such file or directory
First, try the following in the /lib directory:
ln -s libncurses.so.4.2 libncurses.so.3.4
If it works create a file /var/lib/config/local.list containing:
var/lib/config/local.list
lib/libncurses.so.3.4
And then run backup_config to save the changes
Edit the lines in the /etc/syslog.conf file of your edge box in the following manner (note that there are default examples in the file which just need un-commenting).
user.* @server.yourdomain.com
daemon.* @server.yourdomain.com
kern.* @server.yourdomain.com
cron.* @server.yourdomain.com
local0.* @server.yourdomain.com
local1.* @server.yourdomain.com
local2.* @server.yourdomain.com
local3.* @server.yourdomain.com
As always, run backup_config to save the changes.
You also need to enable collection of remote logs on the target server (server.yourdomain.com in the lines above). This requires three config changes on the target machine which we will (naturally) assume is a Linux box.
1. Edit syslog.conf adding a line in the following manner:-
edge kernel.*
Where edge is the name of your edge firewall
This will dump all the messages generated by your firewall into the /var/log/messages (or however you have logging setup) file.
2. Make sure that your target system is enabled to accept messages on the syslog services using UDP port 514, this requires the following line in /etc/services
syslog 514/udp # BSD syslogd(8)
3. Restart syslogd with the -r option which enables collection of remote log messages.
You can filter the firewall log messages out of /var/log/messages with grep or have a cron task set up to periodically grep the logfile messages and pipe the firewall log messages to a different file. Here's an example which in my RedHat 5.2 system lives in /etc/cron.hourly/fwlog
#! /bin/bash
grep edge /var/log/messages > /var/log/firewall
As you can see, this puts all the firewall messages (from the host called edge) into the file /var/log/firewall
Actually, you probably can, but the connection is timing out.
FTP and SMTP servers that have been compiled with the -paranoid option try to "ident" before proceeding with logins. Edge's default configuration is to pass these incoming Ident requests (port 113) through to machines inside the firewall (rather than responding itself).
Windoze machines inside the firewall receive these Ident requests but don't know how to respond. They therefore don't say anything. The external FTP/SMTP servers sit and wait for a reply, and eventually time-out after 30-90 seconds, at which time the login proceeds.
There are two workarounds:-
1. For lazy people like me, if you always use one client to ftp out from, edit the following line in /etc/config/portfw.txt
auth tcp 192.168.1.x auth # ident
where x is the last octet of the clients IP address
2. For the more ambitious, make the following changes suggested on the Edge mailing list by John Charlesworth:-
Turn off port-forwarding for port 113. Comment out the line in /etc/config/portfw.txt for the entry starting with "auth". (You can use the vi-esque editor "elvis" for this).
Create an entry in /etc/edge/edge-help to define REJ() as REJECT
(similar to the entry for DNY() ):
REJ(){
I -A $* -j REJECT
}
Edit /usr/sbin/firewall:
line 74: PLCY input REJECT
line 276: REJ OUTSIDE -i $oIF -1;
line 278: REJ input -i $oIF -1
Make sure that /var/lib/config/edge.list contains lines for:
etc/config/portfw.txt
etc/edge/edge-help
usr/sbin/firewall
var/lib/config/edge.list
Run backup_config then reboot
The information contained in this document was obtained from the Edge mailing list digest.
This document is not gospel and I do not profess to be any form of expert in this field. However, it is probably the most up to date info that you will be able to find. Nobody is responsible for what happens to your hardware but yourself. If your any of your hardware goes up in smoke (...nearly impossible!) I take no responsibility. ie. THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION INCLUDED IN THIS DOCUMENT.
This document is Copyright (c) 1999 by David Unsworth. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that this copyright notice is included exactly as in the original, and that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions.
If you are intending to incorporate this document into a published work, please make contact (via e-mail) so that you can be supplied with the most up to date information available.
The latest version of this document can be found at http://www.unsworth.org/edge/Edge-FAQ.html
Comments, corrections and suggestions are always welcome. Please e-mail them to me at unsworth@mail-me.com