---------------------------------------------------------------------- The SINUS Firewall -- a TCP/IP packet filter for Linux Written within the SINUS project at the University of Zurich, SWITCH, Telekurs Payserv AG, ETH Zurich. originally based on the sf Firewall Software (C) 1996 by Robert Muchsel and Roland Schmid. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. SINUS Firewall resources: SINUS Homepage: http://www.ifi.unizh.ch/ikm/SINUS/ Firewall Homepage: http://www.ifi.unizh.ch/ikm/SINUS/firewall.html Frequently asked questions: http://www.ifi.unizh.ch/ikm/SINUS/sf_faq.html Mailing list for comments, questions, bug reports: firewall@ifi.unizh.ch ------------------------------------------------------------------------- INSTALLATION INSTRUCTIONS ========================= 1. If you want to use the secure firewall-to-firewall communication, you need the ENskip package for Linux. This package is very complicate to install and configure. You have been warned. The firewall also works without ENskip, but you loose the ability for secure communication bet- ween firewalls, and encrypted communication between the firewall server and the graphical management interface. (Authentication is however done on a higher level.) So, if you don't need ENskip, go to 2. Okay, you wanted it. Get the newest release of ENskip. It can usually be found on ftp.tik.ee.ethz.ch under pub/packages/skip. Follow the install instructions. You need a C++ development system and you have to patch the Linux Kernel. Install ENskip and generate a server certificate. 2. Get an appropriate Linux kernel. This software was mostly tested with Linux-2.0.34, so it is a good idea to take this one. It should also work for 2.0.32..35, and with a minor modification for 2.0.26..31. Some configuration options are fundamental for the SINUS firewall. They are (in make menuconfig) under Networking option: - Network firewalling - TCP/IP networking - IP Forwarding - IP Firewalling - IP: Always defragment - IP: optimize as router not host Other options like IP masquerading or IP aliasing can savely be set or deleted. They don't work with the firewall, but setting them in the kernel doesn't hurt. Compile the kernel, install the kernel image and reboot. Don't "make clean" in the kernel subtree since some objects from there are needed while firewall compilation. 3. If you want to build the Firewall Control Panel, you need to install the packages JDK-1.1.6 and SWING. See http://www.java.com/ and http://www.sun.com/ for them. 4. - Unpack sifi-0.1.tar.gz, cd to the sifi-0.1 directory - (edit the paths in include/sf_config.h if you don't like the default settings.) - (If you want to build the control panel, you might want to edit the classpath in client/Makefile.in according to your JDK and SWING installation.) - sh configure - make dep - make (or, if you just want to build the server or client, "make server" or "make client" instead of "make") - make install (or "make server_install" or "make client_install") 5. Generate a firewall configuration file, usually under /etc/firewall.d/firewall.conf. You can use one of the files in the samples subdirectory, but you have to edit them before they work! 6. - Insert the kernel module: insmod sf - Start the firewall daemon sfc start - Make some traffic on the net and watch the logfile growing: tail -f /var/log/firewall - To stop the firewall: sfc stop; rmmod sf - To start the control panel: sfControl 7. If something goes wrong: - Read the install instructions and documentation carefully. The documentation also contains references to basic firewall literature. - Read the SINUS Firewall Homepage (http://www.ifi.unizh.ch/ikm/SINUS/) and follow the link to the FAQ. - Subscribe to the firewall mailing list (see the homepage for instructions) and discuss the problem there. Harald Weidner 20.10.1998