Page 1

Firewall Lab Instructions (v 1.6)

Introduction

This lab involves using vmware. Vmware is a suite of programs capable of running
instances of entire operating systems inside another operating system. Vmware can
run specially configured images. Alternatively, it can boot up an instance of an
operating system from a bootable cd or from an iso file.

There are a number of VMware programs available. These include VM Server and
VM player. VM player is available on the linux PCs in the labs and it can be used to
create multiple instances of operating systems. The second Assignment will involve
the use of vmware as outlined in this guide.

We will create a set of VMware files that will be arranged into a simple network. The
network will look like this.
 Page 2

Here is a more detailed picture of the virtual network

There are a number of possible approaches to setting up the virtual network.

(1) Create a set of directories in the directory with your login name in /images/netsec/

(2) Create a set of directories on a usb memory stick which is mounted on a one of the
pcs in the Labs running linux.

(3) If you have a laptop with at least one gigabyte of RAM, you can install VMware
server on it and do the exercise and assignment 2 on it. Option 3 is the most desirable,
but it may not be available to everyone.

Files used in the running of VMware

File extension Description

.vmx Basic VMware configuration file

.vmdk This file (or files) are the system’s virtual hard drive(s).

.vmsn / .vmsd It is possible to take snapshots of the system while it is

running A vmsn file stores the state of the system when the
snapshot was taken. The vmsd file stores information about
the snapshots.

.nvram These files store the BIOS data for the virtual machine.
 Page 3

Instructions for setting up and using VMware in the Labs

(1) Boot up into linux using KDE or Gnome.

(2) Open a terminal

(3) There is a directory called /images which is used for storing images for use with
vmware. Inside a /images there is a subdirectory called netsec. Inside that there is a
subdirectory with your login name. This is where you will keep your VMware images
and configuration files.

cd /images/netsec/your_user_name

(4) now make 3 directories

mkdir firewall

mkdir internal

mkdir external

(5) Get 3 copies of the basic vmx test file and put them in the directories you just
created.

cp /images/netsec/BBCtest3/BBCtest3.vmx ./firewall/firewall.vmx

cp /images/netsec/BBCtest3/BBCtest3.vmx ./internal/internal.vmx

cp /images/netsec/BBCtest3/BBCtest3.vmx ./external/external.vmx

(6) You need to alter the permissions of the vmx files as well. These need to readable
and writable for everyone as VMware alters the files.

chmod 666 ./firewall/firewall.vmx

chmod 666 ./internal/internal.vmx

chmod 666 ./external/external.vmx

You also need to get copies of the files BBCtest3.vmdk and BBCtest3-f001.vmdk

cp /images/netsec/BBCtest3/*vmdk ./firewall

cp /images/netsec/BBCtest3/*vmdk ./internal

cp /images/netsec/BBCtest3/*vmdk ./external

These also need to be made writable for everyone

chmod 666 ./firewall/*vmdk

chmod 666 ./internal/*vmdk

chmod 666 ./external/*vmdk

 Page 4

You will need to alter the contents of each of the vmx files

The next page shows the contents of the unmodified BBCtest3.vmx file.
 Page 5

#!/usr/bin/vmware
config.version = "8"
virtualHW.version = "4"
scsi0.present = "TRUE"
scsi0.virtualDev = "lsilogic"
memsize = "32"
MemAllowAutoScaleDown = "FALSE"
scsi0:0.present = "TRUE"
scsi0:0.fileName = "BBCtest3.vmdk"
scsi0:0.writeThrough = "FALSE"
ide1:0.present = "TRUE"
ide1:0.fileName = "/images/netsec/bbc/bbc-2.1.iso"
ide1:0.deviceType = "cdrom-image"
floppy0.startConnected = "FALSE"
floppy0.fileName = "/dev/fd0"
ethernet0.present = "TRUE"
usb.present = "FALSE"
sound.present = "FALSE"
sound.virtualDev = "es1371"
displayName = "BBCtest3"
guestOS = "other26xlinux"
nvram = "BBCtest3.nvram"

ethernet1.present = "TRUE"
ethernet1.connectionType = "custom"
ethernet2.present = "TRUE"
ethernet2.connectionType = "custom"
ethernet2.vnet = "/dev/vmnet8"

floppy0.present = "FALSE"
ethernet1.vnet = "/dev/vmnet2"

scsi0:0.redo = ""
ethernet0.addressType = "generated"
ethernet1.addressType = "generated"
ethernet2.addressType = "generated"
uuid.location = "56 4d 54 72 f0 2a 88 c2-7d 54 7d 6c 57 53 6b c9"
uuid.bios = "56 4d 54 72 f0 2a 88 c2-7d 54 7d 6c 57 53 6b c9"
ethernet0.generatedAddress = "00:0c:29:53:6b:c9"
ethernet0.generatedAddressOffset = "0"
ethernet1.generatedAddress = "00:0c:29:53:6b:d3"
ethernet1.generatedAddressOffset = "10"
ethernet2.generatedAddress = "00:0c:29:53:6b:dd"
ethernet2.generatedAddressOffset = "20"

tools.remindInstall = "TRUE"

ethernet0.connectionType = "custom"
ethernet0.vnet = "/dev/vmnet1"

priority.grabbed = "normal"
priority.ungrabbed = "normal"

workingDir = "/images/tmp"
redoLogDir = "/images/tmp"
logging = "FALSE"
debug = "FALSE"

uuid.action = "keep"
snapshot.disabled = "TRUE"
snapshot.action = "keep"
 Page 6

You have to edit each of the .vmx files. We will start with the one for the firewall.

The lines that need to be altered are :

Original Becomes

ide1:0.fileName = ide1:0.fileName =
"/images/netsec/bbc/bbc-2.1.iso" "/images/netsec/bbc-2.1.iso"

displayName = "BBCtest3" displayName = "Firewall"

guestOS = "other26xlinux" guestOS = "other24xlinux"

ethernet1.connectionType = ethernet1.connectionType =
"custom" "hostonly"

Ethernet2.connectionType = Ethernet2.connectionType =
"custom" "hostonly"

Ethernet0.connectionType = Ethernet0.connectionType = "nat"

"custom"

workingDir = "/images/tmp" workingDir =

"/images/netsec/your_login_name"

redoLogDir = "/images/tmp" redoLogDir =

"/images/netsec/your_login_name"

The vmx files actually determine what hardware is present in the virtual machine.
This includes such things as Ethernet card MAC addresses. It is important that devices
that are communicating have different MAC addresses.

VMware has its own set of MAC addresses that you can use. These are
00:50:56:00:00:00 to 00:50:56:3F:FF:FF. It is important that you do this in the
internal and external machines otherwise they will not be able to communicate.

Another issue to be addressed is the type of network card used.

Type of Card Description

hostonly Network card is part of the

virtual vmware network

bridged Network card gets its own

Network address but works
through the local host
 Page 7

nat Network card gets its own

Network address but works
through the local host

Changes for internal.vmx

Original Becomes

ide1:0.fileName = ide1:0.fileName =
"/images/netsec/bbc/bbc-2.1.iso" "/images/netsec/bbc-2.1.iso"

displayName = "BBCtest3" displayName = "Internal”

guestOS = "other26xlinux" guestOS = "other24xlinux"

ethernet1.present = "TRUE" Delete all these lines or comment

ethernet1.connectionType = out using “#”
"custom"
ethernet2.present = "TRUE"
ethernet2.connectionType =
"custom"
ethernet2.vnet = "/dev/vmnet8"

ethernet1.vnet = "/dev/vmnet2"

ethernet0.addressType = ethernet0.addressType = "static"

"generated"

ethernet1.addressType = Delete all these lines or comment out

"generated"
ethernet2.addressType =
"generated" using “#”

Ethernet0.connectionType = Ethernet0.connectionType =
"custom" "hostonly”

ethernet0.generatedAddress = ethernet0.Address =
"00:0c:29:53:6b:c9" "00:50:56:00:00:01"

(or some other address in the

acceptable range)

workingDir = "/images/tmp" workingDir =

"/images/netsec/your_login_name"

redoLogDir = "/images/tmp" redoLogDir =

"/images/netsec/your_login_name"
 Page 8

Changes for external.vmx

Original Becomes

ide1:0.fileName = ide1:0.fileName =
"/images/netsec/bbc/bbc-2.1.iso" "/images/netsec/bbc-2.1.iso"

displayName = "BBCtest3" displayName = "External”

guestOS = "other26xlinux" guestOS = "other24xlinux"

ethernet1.present = "TRUE" Delete all these lines or comment

ethernet1.connectionType = out using “#”
"custom"
ethernet2.present = "TRUE"
ethernet2.connectionType =
"custom"
ethernet2.vnet = "/dev/vmnet8"

ethernet1.vnet = "/dev/vmnet2"

ethernet0.addressType = ethernet0.addressType = "static"

"generated"

ethernet1.addressType = Delete all these lines or comment out

"generated"
ethernet2.addressType =
"generated" using “#”

Ethernet0.connectionType = Ethernet0.connectionType =
"custom" "hostonly”

ethernet0.generatedAddress = ethernet0.Address =
"00:0c:29:53:6b:c9" "00:50:56:00:00:02"

(or some other address in the

acceptable range, make sure it’s
not the same as the internal MAC
address)

workingDir = "/images/tmp" workingDir =

"/images/netsec/your_login_name"

redoLogDir = "/images/tmp" redoLogDir =

"/images/netsec/your_login_name"
 Page 9

Booting up your Virtual Machines

In the KDE GUI, select the K menu, then System then VMware Player. Then click on
“Open an existing virtual machine”

Navigate through the File System menu option till you get to your image files in
/images/netsec/your_user_name. Double-click on the .vmx file. The system will boot
up.

Useful Tips

(1) If VMplayer prints “/dev/vmnet0 not found” this may be due to a rogue vmware
process. Try closing down any running VMware images and reboot the computer,
then restarting again.

(2) If a system says that a lock file has been found, remove any files or directories
with the extension “.lck” from the directory containing your vmware configuration.
 Page 10

Click on the window, key in 1 then press return. The system will boot up. Login as
root.
 Page 11

Start up the internal and external vmx files in VMplayer as well. Choose the graphics
option when booting up for these machines.

Note : Entering text and using the mouse in the virtual machines.

Click on the virtual machine window. Input from the keyboard and mouse is then
captured by the VMware machine.

To release mouse and keyboard input from the machine press Cntrl-Alt
simultaneously.
 Page 12

Configuring the Network Interfaces in the Virtual Machines.

The firewall.

Login as root on the firewall and run the program trivial-net-setup.

Use the OK through the various screens that appear.

 Page 13

When prompted for what module to use, pick “autoinsert”

The system will identify the card types present and then ask you which one of the
three cards you want to configure.
 Page 14

Firstly pick eth0 (This is the card that will be used with nat to connect to the real
internet). Configure eth0 using DHCP.
 Page 15

The system will get an IP address using the faculty’s DHCP server. You now need to
configure the other 2 ethernet cards. Run trivial-net-setup again. The procedure is
exactly the same as for eth0 up to the point where you are given the choice of using
DHCP.
 Page 16

Pick the manual configuration option

For eth1, the following settings are recommended:

Setting Value

IP Address 192.168.1.1

Netmask 255.255.255.0

no gateway

no default nameserver

For eth2, the following settings are recommended:

Setting Value

IP Address 172.16.1.1

Netmask 255.255.0.0

no gateway

no default nameserver
 Page 17

Once you have completed the network configuration of the firewall, you need to
configure the eth0 interface internal and external virtual machines.

This is done in exactly the same way as was done for the firewall. The details are set
out below.

For internal eth0

Setting Value

IP Address 192.168.1.2

Netmask 255.255.255.0

Gateway 192.168.1.1

no default nameserver

For external eth0, the following settings are recommended:

Setting Value

IP Address 172.16.1.2

Netmask 255.255.0.0

Gateway 172.16.1.1

no default nameserver

Enabling forwarding on the firewall.

The final step is to configure ip forwarding on the linux firewall. This is done from
the bash shell on the firewall.

echo “1” > /proc/sys/net/ipv4/ip_forward

Once this last step is completed, if everything else has been done correctly, the
machines should be able to ping each other. The screenshot below shows the external
host pinging the internal host through the firewall.
 Page 18

If you wish, you may create more complex network topologies, e.g. a DMZ and/or
several external machines and/or several internal machines.

Setting up the Servers on BBC Linux

Starting the web server

This can be setup on both the internal and external machine, but should not be run on
the firewall.

The web server on BBC Linux is thttpd (trivial http server). It can be started by
running

/etc/init.d/thttpd start

From the command line.

Creating simple web pages for the web server

From the command line enter the following commands

cd /mnt/rw/var
mkdir www
cd www
vi index.html
 Page 19

index.html might look like this

<html>
<head><title>Main index Page</title>
</head>
<body>
This is an example page
</body>
</html>

You can create other html files as well e.g. test.html, test1.html, etc.

Starting X windows.

X –windows can be started by running the command startx. Note: X-windows is only
available if you booted up BBC-Linux with an option of 2 or greater. It should not be
run on the firewall.

Starting a browser in x-windows

 Page 20

Once selected, the browsex browser can be used to access the web server. The
screenshot below shows a browser running on external accessing the web server on
internal.

Note : the browser is quite slow.

Starting the ssh server

To start the ssh server run

/etc/init.d/sshd start

Note : the ssh server should be started on all of the hosts.

By default, the root user has no password. In order for remote logins to be allowed,
the root user has to have a password. This is done by using the passwd command.
 Page 21

Starting the tftp server

There is a tftp server called atftp. Firstly you need to create a directory to hold the
files to be retrieved from and sent to the tftp server. The directory is /home/tftp

This can be done by the following unix commands from the command line.

cd /home
mkdir tftp
chmod 777 tftp
cd tftp

you should create some simple text files e.g. f1.txt, f2.txt, f3.txt etc. in the tftp
directory. This can be done by using vi or by executing the command for each of the
files you want to create.

echo “this is f1.txt” > f1.txt

To start the tftp server type in

atfpd –-daemon /home/tftp

from the command line.

This starts the tftp server and sets the directory containing files to be retrieved and
sent to the server to /home/tftp.

The tftp server should NOT be run on the firewall.

Using the tftp client

To start the tftp client, type in

atftp

at the command line.

The prompt will change to the > character.

To connect to a particular server type in

connect <ip_address_ of_server>

e.g.

connect 192.168.1.2

will connect to a tftp server on the host at 192.168.1.2

 Page 22

To retrieve files from the server type in

get <filename>

to send files type in

put <filename>

to get further information type in ? or help at the > prompt.

Type in quit to quit from the client.

Using an sftp (secure ftp) client.

It is possible to use an sftp client to retrieve data from other hosts. In particular, this is
useful for retrieving scripts from your home directory on Charlie to the firewall host.
This connection goes through the eth0 (bridged or nat) network card on the firewall.

n.b. If you are unable to log in and receive a message “Received message too long”
try removing any welcome or other messages produced by your login scripts on
charlie.

Running netstat

You can check what ports are open by running the command

netstat –t -a

An alternative approach to setting up a VMware network

It is possible to download VMware Server from the internet and use it on your laptop.
To do this you will need at least one Gigabyte of RAM to run VMware Server.

There are a number of distributions of linux that can be used. These include :

Adios Linux
Backtrack Linux
DSL
plus many others.