Version 1.1 06 March 2005
This HOWTO describes how to configure the EDGE 0.7 firewall to operate with a gateway router. This configuration is commonly required when using the EDGE firewall with a cable modem or ADSL connection.
This document should be read in conjunction with the EDGE Documentation and the EDGE mailing list archives . Please look at these documents before posting to the EDGE mailing list.
Typically when you connect to the Internet via a cable modem, ADSL or even dial-up connection, you are assigned an IP address which is part of a subnet, or partitioned group of IP addresses. The subnet is defined by the combination of the IP network address and the subnet mask. All devices within the subnet can communicate directly with each other (assuming correct netmask configuration of each device), but in order to communicate with devices outside of their own subnet, they must direct traffic to a router at a specific address. This router provides the path between the subnet and the rest of the Internet and is called the Gateway. All devices in the subnet must be made aware of the address of the gateway and must have an entry in their routing table which directs traffic destined for addresses outside of the subnet to the gateway.
If you are experiencing a problem with a new installation where you can ping some or all of the ISPs servers and their gateway router, but nothing else, then you need to configure your system to use a gateway router - read on...
The 0.7 release does not provide direct support for a gateway address to be entered in edge.txt, also the EDGE floppy created does not contain the necessary package to provide the route or netstat functions. The route function is required to enable routing within the EDGE firewall. Finally, changes are required to ensure that additional files will be saved when backup_config is executed.
For correct configuration of the EDGE firewall you will need the following information:
There are additional parameters in edge.txt which are described in section 1.4
rTYPE=static
Uncomment this line to tell EDGE that the public IP address will be statically assigned by the rIP parameter. Comment out with a # if DHCP operation is required and then uncomment the line further down the file.
rIF=eth1
This defines the ethernet interface eth1 as the interface to the public network side of the firewall
rIP= xxx.xxx.xxx.xxx
This defines the IP address of the public network interface. Your ISP will advise you of the address.
rNL= xxx.xxx.xxx.xxx/yy
This defines the network address of the subnet to which you are connected. This should be entered in the format xxx.xxx.xxx.xxx/yy – see section 1.5 for more information.
rMSK= xxx.xxx.xxx.xxx
This defines the subnet mask for the public network side of the firewall
rBST= xxx.xxx.xxx.xxx
This defines the broadcast address for the public network side of the firewall
rDNS= xxx.xxx.xxx.xxx
This defines the Domain Name Server your ISP wishes you to use
rDOMAIN=your_ISP.net
The domain name of your service provider
The network address is the network portion of an IP address.
For a class A network, the network address is the first byte of the IP address. For a class B network, the network address is the first two bytes of the IP address. For a class C network, the network address is the first three bytes of the IP address. In each case, the remainder is the host address.
The Network Address (rNL) parameter in edge.txt is the base address of the subnet which your ISP has assigned you to, in combination with the Netmask (the "/xx" at the end is a shorthand way of indicating the netmask).
Typically (but not always) class C networks are used, in which case your network address would be xxx.xxx.xxx.0/24
The "/xx" is a shorthand form of the netmask, where xx = the number of ones in the binary equivalent of the netmask. Since all IP addresses and netmasks are normally stated in 4 octets (4 x octal numbers), if you convert 255 octal to binary you get 11111111, string 3 of these together and you get 24 ones - see, now it makes sense !
If you don’t know your network address you can calculate it using the Network/Node Calculator at http://www.unsworth.org/edge/net_calc.htm
I would recommend the IP Subnetting Tutorial at http://www.ralphb.net/IPSubnet/index.html as further reading - it's a much better explanation than I could ever come up with.
You need to use either the vi or ae editors which are installed as part of the EDGE firewall. For more details see Linux Mini Tutorial or Linux Basics
It depends! if you are in MS-DOS, use the regular COPY command
If you are in Linux (i.e. you have booted EDGE sucessfully) you need to mount the floppy drive, copy the files and then unmount the floppy drive as follows:
mount –t msdos /dev/boot /mnt
cp your/source/directory/file.name /mnt/your/destination/directory/file.name <- copies to the floppy
umount /mnt <- note this is not unmount !
The documentation can be found at the EDGE web site http://edge.fireplug.net as well as various readme and HOWTO files included in the EDGE distribution
For those who prefer not to edit all the files (and hence miss out the fun part!), you can download the files described in this document from http://www.unsworth.org/edge/files.htm
By default, the netdiag.tgz package is not loaded when EDGE 0.7 boots because it is missing from the 0.7 floppy created when following all the installation instructions.
It does exist in the edge 0.7 zip file which you probably downloaded from edge.fireplug.net - in case you haven't got it, it's available for download.
Extract netdiag.tgz from the edge 0.7 zip file (or download) and copy this file to the /system directory on the 1.7MB floppy you are running EDGE from. Next time you run EDGE, you should see netdiag.tgz being installed (or unpacked) as the system loads.
Once you have the netdiag.tgz package installed, your system will support the "route" and "netstat" functions. Verify this by issuing the command
/sbin/route -n
at the command prompt.
You should see your present routing table, it should look something like:
| Kernel IP routing table | |||||||
| Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
| 192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0 |
| xxx.xxx.xxx.xxx | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth1 |
where xxx.xxx.xxx.xxx is your the subnet associated with the public IP address assigned by your ISP - how do you figure this out ? - well typically they give you an IP address of xxx.xxx.xxx.xxx and a subnet mask of 255.255.255.0 - a logical AND if the two give you the subnet which in the example above (very common, Class C subnet) will be xxx.xxx.xxx.0
Now you can add a default route as follows:
/sbin/route add default gw yyy.yyy.yyy.yyy dev eth1
where yyy.yyy.yyy.yyy is the IP address of your ISPs Gateway Router
Now when you look at the routing table with /sbin/route -n you should see something like:
| Kernel IP routing table | |||||||
| Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
| 192.168.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0 |
| xxx.xxx.xxx.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth1 |
| 0.0.0.0 | yyy.yyy.yyy.yyy | 0.0.0.0 | UG | 1 | 0 | 0 | eth1 |
Note the addition of the third line which is routing out to the ISP gateway on your eth1 interface
Now the moment of truth.. can you ping the ISPs gateway and better still can you ping something beyond it ? (I suggest you try with an IP address not a hostname first in case you have a DNS configuration problem) - try 207.25.71.26 which is www.cnn.com
None of the above will stick if you reboot, so to make this permanent you need to do the following. It's a bit of work, but hopefully you will now be seeing the light at the end of the tunnel (and the internet beyond your gateway) and be more motivated !
For those seeking the easy life, you can either download the individual files with modifications incorporated, or a full EDGE 0.7 with the modifications incorporated from http://www.unsworth.org/edge/files.htm
Add the following line to /etc/config/edge.txt:
rGATEWAY=yyy.yyy.yyy.yyy
where yyy.yyy.yyy.yyy is the IP address of your ISPs Gateway Router
Edit /etc/init.d/ethernet to look like this:
iCFG $pIF $pIP $pMSK $pBST
iCFG $rIF $rIP $rMSK $rBST
[ -n "$rGATEWAY" ] && route add default gw $rGATEWAY dev eth1
(note the third line shown above needs to be added)
By default, this file does not exist in an EDGE installation and needs to be created containing the following lines:
var/lib/config/local.list
/etc/init.d/ethernet
Note: The function of /var/lib/config/local.list is to create a supplementary list of files to be saved when you run backup_config. Any files in this list will be extracted last when EDGE loads and will overwrite any files of the same name in the existing packages which are loaded first.
Before you reboot, you MUST run backup_config to write all your hard work back to the EDGE floppy. If you don’t run backup_config then all your hard work will be lost when you reboot.
The information contained in this document was obtained from the EDGE mailing list digest as well as other sources. The changes to /etc/init.d/ethernet and /var/lib/local.list were created by Curtis Galloway. Thanks to Matthew Name for working through a draft of this document and verifying that the instructions are correct.
This document is not gospel and I do not profess to be any form of expert in this field. However, it is probably the most up to date info that you will be able to find. Nobody is responsible for what happens to your hardware but yourself. If your any of your hardware goes up in smoke (...nearly impossible!) I take no responsibility. ie. THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION INCLUDED IN THIS DOCUMENT.
This document is Copyright (c) 1999 by David Unsworth. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that this copyright notice is included exactly as in the original, and that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions.
If you are intending to incorporate this document into a published work, please make contact (via e-mail) so that you can be supplied with the most up to date information available.
The latest version of this document can be found at http://www.unsworth.org/edge/gateway_config.htm
Comments, corrections and suggestions are always welcome. Please e-mail them to me at unsworth@mail-me.com
This page has been visited
times