Version: 2.0
By: Lucien Wells.
Using: SmoothWall 0.9.9 (beta)
Special thanks to Alex Webster for coauthoring the HTML.
SmoothWall (aka. Smoothie): http://www.smoothwall.org
Telstra Bigpond (Advance) Cable: http://www.bigpond.com/broadband/
As the availability of internet access, and in particular broadband connections, has spread, people have increasingly wanted to share the bandwidth available to them private LANs (local area networks). Furthermore, due to the permanent and semi-permanent nature of most speedy connections, the need for security has increased. Enter SmoothWall, a firewall and gateway Linux appliance.
While SmoothWall works straight out of the box for most broadband connections, a certain amount of customisation is needed to get SmoothWall to work with Telstra Bigpond Cable. Unlike most cable connections, Telstra requires the use of a login application with its cable product. This mini-HOWTO will describe the various steps required to have SmoothWall work effectively with Bigpond Cable.
Before proceeding with the rest of this mini-HOWTO, you will need the following:
I will assume that you have read and correctly followed the instructions provided by the SmoothWall team, have a working SmoothWall installation, and are able to access the admin interface from another PC (again, this is outlined in the documentation).
To transfer files to the SmoothWall installation, the SSH server on the SmoothWall box must be enabled. To do so, surf to the admin interface and select the "Remote Access" option from the menu on the left-hand side.
The SmoothWall login screen – select "Remote Access" from the menu bar.
Once at the "Remote Access" screen, place a check in the ‘SSH’ checkbox and hit the save button. SSH access is now enabled.
The Remote Access screen.
As outlined in the ‘before you begin’ section, you will need a copy of SSH Secure Shell, to have it installed, and have a basic understanding of its workings.
The first ‘issue’ one is likely to encountered with SmoothWall and Bigpond Cable is related to SmoothWall not identifying the DHCP (Dynamic Host Configuration Protocol – the system used be Bigpond Cable to assign IP addresses) settings correctly. I initially suspected this problem pertained only to my connection, but it has since been confirmed by other Bigpond cable users.
SmoothWall uses the dhcpcd client for obtaining DHCP configuration information on boot. So, the first step is to boot (or restart) your SmoothWall box ensuring that the connection to your cable modem is plugged in. Now, login to your SmoothWall box via SSH, and do the following:
1. Go to the /etc/ directory:
cd /etc/2. Open the ‘resolv.conf’ file in joe:
joe resolv.conf
Ideally, your ‘resolv.conf’ file should contain something similar to this:
nameserver 61.9.192.13
nameserver 61.9.192.16
nameserver 127.0.0.1
search nsw.bigpond.net.au
If it does, you are A-OK to proceed to ‘Installing a login client -- Bids2Login’. However, it is much more likely that your ‘resolv.conf’ will contain the following:
nameserver 127.0.0.1
This means that dhcpcd was unable to obtain the required DHCP information from Telstra’ DHCP server, and any attempt to login to Telstra’s cable service will not work. At this point, exit Joe:
1. To exit Joe, press the following two keys:
Crtl-k2. When you see "ˆk" appear in the top left corner, press:
'q' and press enter or return.
The simplest way to fix this problem is to edit the ‘resolv.conf’ file so it contains the correct information, and the easiest way to get that information is to do the following:
1. SSH in to your SmoothWall box.
2. At the command prompt, type the following: "dhcpcd ethX" where ‘ethX’ is the name of the network card that your cable connection is connected to.
EthX? What the…?:
If you are unsure what ‘ethX’ is on your system, type "ifconfig" at the command line. Assuming you have two network cards, you will see "eth0","eth1" and "lo". Ignore "lo". Look specifically at the information following the ‘inet addr’ field.
One network card will show the IP address for the ‘green adapter’ address you entered during the SmoothWall installation – in my case that was ‘192.168.0.1’ – it is the other card, the ‘red adapter’ we are after. Note the name of this card: replace ‘ethX’ with the name of that card.
Now refresh the directory (ls -l)and you should notice a new
file: ‘resolv.conf<anything>’, where <anything> could be ".sw"
or "~" or a number of possibilities. This is a backup file that will
contain the old 'resolv.conf' information, that is, "nameserver 127.0.0.1".
Open the ‘resolv.conf’ file in Joe:
1. Go to the /etc/ directory:
cd /etc/2. Open the ‘resolv.conf’ file in Joe:
Joe resolv.conf
You should now see something similar to this:
nameserver 61.9.192.13
nameserver 61.9.192.16
nameserver 24.192.1.30
search nsw.bigpond.net.au
The exact contents may vary somewhat, but it should be similar. If you still only see "nameserver 127.0.0.1", you have a problem of some sort – check that all your cables are connected properly, that your cable modem is on, and that you typed the dhcpcd command correctly.
You will need to make one change to the resolv.conf file:
1. Use the directional keys to navigate to the third 'nameserver' line, for example:
nameserver 24.192.1.302. Replace it with:
nameserver 127.0.0.13. To save the changes, and exit Joe, press:
Ctrl-k4. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
Now, bearing in mind that when the SmoothWall box is reset it will revert back to the ‘resolv.conf<anything>’ file (mentioned earlier), we want to make the contents of ‘resolv.conf<anything>’ match that of the new ‘resolv.conf’ file. The easiest way to do this is to execute the following commands from the command line:
1. Go to the /etc/ directory:
CD /etc/2. Copy the ‘resolv.conf’ file to the ‘resolv.conf.sw’ file:
cp resolv.conf resolv.conf<anything>Where resolv.conf<anything> is the name of the file to be overwritten.
3. When prompted to overwrite, type:
‘y’ and press enter or return.
Since writing the original SmoothWall and Bigpond Cable guide, it came to my attention that there was a specific issue with DNS resolution and Bigpond Cable that meant it took much longer than it should to log in via SSH.
The following is a workaround for the problem thanks to Lawrence Manning (SmoothWall co-author), and involves editing the /etc/hosts file, adding any and all clients that you would like to have access to SmoothWall (without the long hanging periods). Note that this workaround only applies to people using static IP addresses, not an internal DHCP server.
1. Go to /etc/ directory:
cd /etc/2. Open the 'hosts' file with joe:
joe hosts3. You should see the following:
127.0.0.1 localhost
192.168.0.1 smoothwall4. For every client machine that you want to be free of the long hanging period, you will need to add the machine's IP address and hostname to the 'hosts' file using the syntax:
<IP address> <hostname>5. For example, I have one client on my network called "Power2burn" which has an IP address of 192.168.0.2, so my 'hosts' file looks like this:
127.0.0.1 localhost
192.168.0.1 smoothwall
192.168.0.2 Power2burnRepeat for all client machines you wish to add.
6. When done, save and exit joe. Press:
Ctrl-k7. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
Ok, that’s half the battle won. At this point it is necessaryto restart your SmoothWall machine: your cable modem must be plugged into your SmoothWall machine during (and after) the restart, as the rest of this guide assumes it is. For those that don’t know the correct restart command, type the following:
shutdown –r now
This will immediately start the shutdown process, with the ‘-r’ flag indicating to the machine to reboot. Once the reboot is complete, login to your SmoothWall machine via SSH.
The next ‘issue’ is not an issue with SmoothWall at all, rather it is a problem with the way that Telstra has setup its Bigpond Cable network. Unlike most cable networks (and like the RoadRunner cable service in the US), Telstra Bigpond Cable requires you to run a login application before you can access anything, and thoughtfully Telstra didn’t provide a *unix login client.
Thankfully, Bigpond users came to the rescue and programmed a number of unofficial login clients – this is where the bids2login script you downloaded earlier will come in handy.
Before going much further, I would like to point out that a lot of the following information is regurgitated from the accompanying bids2login help file and I recommend you read the help file if you want more information on bids2login, although its not strictly necessary.
The first step is to create a directory to house bids2login – using the directory the author of bids2login suggests (/usr/local/bpc) – so SSH in to you SmoothWall machine:
To create the directory, type the following at the command line:
mkdir -p /usr/local/bpc
Now, this is where the other part of the SSH Secure Shell package will come in handy -- Secure File Transfer Client. Open it, and configure it to connect to you SmoothWall machine. For example, my configuration looks like this:
Secure File Transfer Client - Replace 192.168.0.1 with the IP of your SmoothWall
machine.
Once logged in, switch to the directory you just created (/usr/local/bpc), and upload the bids2login compressed file you downloaded earlier ("bids2login-1.00-x86-unknown-linux-elf.tar.gz" in this example) by selecting 'Upload' from the 'Operations' menu (making sure you have selected the /usr/local/bpc directory), find and selecting the file you wish to upload (bids2login-1.00-x86-unknown-linux-elf.tar.gz), and by clicking on the upload button.
Secure File Transfer Client - Selecting the file to upload.
With the file successfully uploaded, exit Secure File Transfer Client, switch back to the SSH client and do the following:
1. Go to the bids2login folder:
cd /usr/local/bpc (or the directory you created)2. Uncompress the gzip file:
gzip -d bids2login-1.00-x86-unknown-linux-elf.tar.gz3. Uncompress the resulting tar file:
tar xvf bids2login-1.00-x86-unknown-linux-elf.tar
Its now time to test out the bids2login script, and see if SmoothWall is finally hooked up to the ‘net via Bigpond. Issue the following commands:
1. Make sure you are in the bids2login folder:
cd /usr/local/bpc (or whatever directory you created)2. Execute the bids2login script
./bids2login -l <username> -p <password>Where <username> and <password> are your Bigpond Cable username and password respectively.
3. If all is successful you should get a message saying:
"Login at <current date> as <username> successful."
Great! Now we have net access! If you leave your SmoothWall machine alone for long enough (at almost exactly five (5) minute intervals) you will notice ‘heartbeat’ replies show up on the screen:
"Status Heartbeat for <username> responded to at <current date>."
Heartbeats are totally normal, so don’t worry if you see one.
Now, hit Control-C to stop bids2login.
Right… that’s all great and fantastic, but who wants to have to type commands if they can avoid it…? So its time to automate the login sequence.
But first, lets get a little sidetracked: one of the neat features of bids2login is that it can read your password from file, which is much more secure than typing it at the command line, and it also helps to automate things. So open your text editor, and do the following:
1. Switch to the /etc/ directory:
cd /etc/2. Start a new file with joe called 'bpc.login.pw':
joe bpc.login.pw2. Enter your password, and password only, into the file.
3. Save the file – you can call it anything, but ‘bpc.login.pw’ is recommended as per the instructions included with bids2login. Press:
Ctrl-k4. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
We are almost there; we just need to make one final change. Assuming you are still logged in to your SmoothWall machine via SSH, do the following:
1. Make sure you are in the /etc/rc.d directory:
cd /etc/rc.d2. Open the rc.sysinit file in joe:
joe rc.sysinit3. Using the directional keys, scroll down to the lines that read:
echo "Starting snort IDS (if enabled)"
/usr/local/bin/restartsnort
4. Add the following after the directly after the above:
echo "logging onto big pond cable .."
/usr/local/bpc/bids2login -l <username> -f /etc/bpc.login.pw &Where <username> is your Bigpond Cable username, and /etc/bpc.login.pw is the password file you uploaded earlier.
5. Save and exit joe:
Ctrl-k6. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
For those interested, the ampersand (‘&’) at the end of the command merely tells SmoothWall to run this command in the background – you will however get heartbeats showing up on the command line.
Done! Restart your SmoothWall machine, and during the start-up process watch for "logging onto big pond cable". When the command prompt comes up, login as root, and try pinging a server (for example, telstra.com):
1. To ping telstra.com type the following at the command line:
ping –c 4 telstra.com2. You should get a readout similar to the following:
PING telstra.com (144.135.18.10) from 144.132.178.59 : 56(84) bytes of data.
64 bytes from 144.135.18.10: icmp_seq=0 ttl=251 time=9.4 ms
64 bytes from 144.135.18.10: icmp_seq=1 ttl=251 time=17.1 ms
64 bytes from 144.135.18.10: icmp_seq=2 ttl=251 time=14.8 ms
64 bytes from 144.135.18.10: icmp_seq=3 ttl=251 time=34.1 ms
--- telstra.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 9.4/18.8/34.1 ms
If you do not get a readout similar to the above, try pinging another server, say yahoo.com (just replace ‘telstra.com’ with ‘yahoo.com’ in the above command). If you still don’t get the appropriate output, you have done something incorrectly, so go back over the above instructions.
Now that your SmoothWall is setup just right, and its auto-logging in to Bigpond Cable, you might want to be able to log the heartbeats, rather than having them filling up your SmoothWall screen (if it has one).
Well, I had a quick email discussion with Lincoln Dale, the creator of bids2login, and he suggested the following:
To get rid of the heartbeats altogether:
1. SSH in to SmoothWall. 1. Make sure you are in the /etc/rc.d directory:
cd /etc/rc.d2. Open the rc.sysinit file in joe:
joe rc.sysinit3. Find the lines you added earlier:
echo "logging onto big pond cable .."
/usr/local/bpc/bids2login -l <username> -f /etc/bpc.login.pw &4. Edit the lines to read:
echo "logging onto big pond cable .."
/usr/local/bpc/bids2login -l <username> -f /etc/bpc.login.pw 2>&1 > /dev/null &5. Save and exit joe:
Ctrl-k6. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
To have it log heartbeats to file:
1. SSH in to SmoothWall. 1. Make sure you are in the /etc/rc.d directory:
cd /etc/rc.d2. Open the rc.sysinit file in joe:
joe rc.sysinit3. Find the lines you added earlier:
echo "logging onto big pond cable .."
/usr/local/bpc/bids2login -l <username> -f /etc/bpc.login.pw &4. Edit the lines to read:
echo "logging onto big pond cable .."
/usr/local/bpc/bids2login -l <username> -f /etc/bpc.login.pw 2> <log> &Where <log> is the path and name of the file to log to, for example, "/usr/local/bpc/connection.log", which would put all heartbeats into a file called ‘connection.log’ in the ‘/usr/local/bpc’ directory.
5. Save and exit joe:
Ctrl-k6. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
One thing to be aware of – heartbeats come in every five (5) minutes, so you log will eventually grow to fairly large sizes… you have been warned.
There is, however, a solution in the form of logrotate, which as the name implies, rotates logs, and is part of the SmoothWall distribution. To setup logrotate, rotating logs weekly, and archiving those logs for four weeks (while also compressing them), do the following:
1. SSH in to SmoothWall. 1. Make sure you are in the /etc/ directory:
cd /etc/2. Open the logrotate.conf file in joe:
joe logrotate.conf3. Find the following line:
"# system-specific logs may be configured here"4. After the above line, add the following:
# Start Bigpond Cable logs
"/var/log/bpc.connection.log" {
# truncate the original log file in place (stops opening a new file)
copytruncate
# rotate logs weekly:
weekly
# keep 4 weeks worth of backlogs, before deleting
rotate 4
# compress old logs
compress
# Stop Bigpond Cable logs
}Where <"/var/log/bpc.connection.log"> is the output log you specified previously.
5. Save and exit joe:
Ctrl-k6. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
All of the above lines should be fairly self-explanatory. If you would like to mess around with logrotate, I suggest you read the logrotate manual (available at Linux.com). More importantly, after awhile you will notice that files similar to the <log>.1.gz will begin to appear in your /var/log/ directory, where <log> is the name of the log file specified earlier.
Be aware that there are limitations to the above configuration – for instance, the current log is overwritten if the SmoothWall machine is rebooted – however, it does provide a convenient way of logging heartbeats, and the linux gurus amongst you probably can work out more advanced configurations.
There comes a time when you want get your SmoothWall box to logout of Bigpond Cable. You have two options – either shutdown the machine, or type the following from the command prompt, or via ssh:
kill $(cat /var/run/bids2login.pid)
Essentially, this will kill the bids2login script, so there will be no response to the heartbeats, and thus you will be logged out – this may take up to five minutes.
The following is a list of people who helped me write this guide (in no particular order):
Stephen Johns
Alex Webster
Richard Morrell
Lawrence Manning
Lincoln Dale
‘Bill’, ‘Becky’ and ‘neuro’ from the SmoothWall IRC channel.
Numerous people on the ‘[users]’ mailing list.
SmoothWall:
SmoothWall is a trademark of Richard Morrell and Lawrence Manning and is
published under the GNU General Public License.
Telstra Bigpond Cable:
TELSTRA and BIG POND are trademarks of the Telstra Corporation Limited.