You have installed Fedora Linux on your firewall box, and now you're ready to give your network interface cards their final, working configurations.
Fedora gives each network interface a separate configuration file. You'll be editing /etc/sysconfig/network-scripts/ifcfg-eth0 and /etc/sysconfig/network-scripts/ifcfg-eth1.
First, configure the LAN interface with a static IP address appropriate for your private addressing scheme. Don't use DHCP to assign the LAN address.
Configure the WAN interface with the account information given to you by your ISP.
These examples show how to set a static local IP address and a dynamic external IPaddress.
Do not connect the WAN interface yet.
In this example, eth0 is the LAN interface and eth1 is the WAN interface:
##/etc/sysconfig/network-scripts/ifcfg-eth0 #use your own MAC address and LAN addresses DEVICE=eth0 HWADDR=11:22:33:44:55:66 BOOTPROTO=none ONBOOT=yes NETMASK=255.255.255.0 IPADDR=192.168.1.23 NETWORK=192.168.1.0 USERCTL=no ##/etc/sysconfig/network-scripts/ifcfg-eth1 #use your real MAC address DEVICE=eth1 HWADDR=AA:BB:CC:DD:EE:FF BOOTPROTO=dhcp USERCTL=no
How do you get the MAC addresses and interface names? Run
ifconfig -a
:
$ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0B:6A:EF:7E:8D
[...]
And that's all you need to do, because you'll get all your WAN configurations from your ISP's DHCP server.
If your WAN address is a static IP address, configure the WAN NIC the same way as the LAN address using the information supplied by your ISP. This should include your ISP's gateway address, and your static IP address and netmask. Then, add your ISP's DNS servers to /etc/resolv.conf:
##/etc/resolv.conf nameserver 11.22.33.44 nameserver 11.22.33.45
Restart networking or reboot, and you're ready for the next steps.
The LAN IP address of your firewall is the gateway address you'll be setting on all of your LAN PCs, so don't complicate your life by using a dynamically assigned address.
Routers typically run headless, without a keyboard or monitor. If your Ethernet-working gets all goofed up, the serial console will save the day. See Chapter 17 to learn how to set this up.
Every Linux distribution comes with a number of graphical network configuration tools. Feel free to use these, though it's always good to understand the underlying text configuration files and scripts.
When you have two NICs on a Linux box, they are usually brought up in the same order on boot, and given the same names (e.g., eth0, eth1, etc.). But sometimes, the order is reversed, which will render your nice firewall box useless, so binding the device names to their MAC addresses ensures that the configurations always stay put. That's what the DEVICE directive is for.
You can even give your interfaces names of your own choosing, like "lan" and "wan." You may also rename the configuration file to help you remember, like /etc/sysconfig/network-scripts/ifcfg-lan. You must use "ifcfg" in the filename, or it won't work.
This is what the configuration options mean:
DEVICE
Name of the physical device.
HWADDR
The real MAC address of the NIC. Don't confuse this with
MACADDR
, because MACADDR
assigns a new MAC address,
overriding the existing one. Why would you want to change a MAC
address? There aren't many legitimate reasons, though it is a
good reminder to see how easy it is to spoof a MAC address, and
why you should not rely on MAC addresses as secure
identifiers.
BOOTPROTO
ONBOOT
NETMASK
Address mask for your network. Unfortunately, CIDR addressing is not yet supported.
IPADDR
USERCTL
Broadcast addresses are automatically calculated with ifcalc, so it's not necessary to specify them.
The Discussion in the previous recipe for more discussion of hardware requirements
man 8 ifconfig
Red Hat maintains a complete archive of manuals online at http://www.redhat.com/docs/manuals/; look for the Networking chapters in the Reference Guides