Guruplug firewall project
Release 0.3
In release 0.3, I will first to download the arm-image, which is an img file, and it only works for the ARM architecture. I will convert the image file and transfer into a micro SD card and then test this image by inserting the card into the Guruplug server and booting it up. Next, I need a JTAG adaptor to connect the Guruplug server to verify whether the image could successfully boot up. In addition, I will make case example, to test the firewall.
1) Download the Fedora remix arm-image for Guruplug server from below:
2) Use Ark tool to extract the img.xz file into local hard disk
3) Using command “fdisk -l” to find out the micro SD card location
4) Transfer the image by using the command “dd”, which is a covert and copy utility
· if = the source image name
· of = the output location
· dd if=<the image name> of=/dev/<the micro SD card drive>
· e.g dd if=Fedora-17-arm-kirkwood-mmcblk0.img of=/dev/sdb
How to use JTAG adaptor to connect to the Guruplug server?
1) Understand what is JTAG adaptor
One USB port side connects to laptop, and the middle wire with 4 pins port connects to the Guruplug server.
2) Install and setup the minicom 2.5 utility as a media in your laptop to reach the Guruplug server
· Install minicom package
yum install minicom
· Executing the command to start minicom
minicom -s
· Setup minicom in its menu
The Serial device is the only necessary item that needs to be modified. Change to /dev/ttyUSB0 as connection interface, then save the setting.
+-----------------------------------------------------------------------+
| A - Serial Device : /dev/ttyUSB0 |
| B - Lockfile Location : /var/lock |
| C - Callin Program : |
| D - Callout Program : |
| E - Bps/Par/Bits : 115200 8N1 |
| F - Hardware Flow Control : No |
| G - Software Flow Control : No |
| |
| Change which setting? |
3) initializing the connection
Press control + A, then X, then Esc
This could re-initializing the connection to the Guruplug server
4) Problems when initializing the connection ( in Fedora 17) (solved)
Failed to mount ext2 filesystem...
** Bad ext2 partition or disk - usb 1:1 **
Wrong Image Format for bootm command
Error: can't get kernel image!
a) First, I re-partitioning my micro SD card, which makes sure that is in the un-allocation format. Since the image that we download already contains two partitions, we don’t need to do the format again.
b) Second, if it is still not booting up or the screen comes up with weird characters, then unplug the server and put it back again. Then, the problem should be go away.
5) If the connection is successful, then you can see the system self-test outputting, likes below:
Environment size: 618/131068 bytes
Marvell>> boot
(Re)start USB...
USB: Register 10011 NbrPorts 1
USB EHCI 1.00
scanning bus for devices... 3 USB Device(s) found
scanning bus for storage devices... Device NOT ready
Request Sense returned 02 3A 00
2 Storage Device(s) found
reading uImage-kirkwood
3291896 bytes read
reading uInitrd-kirkwood
10112646 bytes read
## Booting kernel from Legacy Image at 06400000 ...
Image Name: 3.4.2-3.fc17.armv5tel.kirkwood
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 3291832 Bytes = 3.1 MiB
Load Address: 00008000
Entry Point: 00008000
Verifying Checksum ... OK
## Loading init Ramdisk from Legacy Image at 07400000 ...
Image Name: initramfs
Image Type: ARM Linux RAMDisk Image (uncompressed)
Data Size: 10112582 Bytes = 9.6 MiB
Load Address: 00000000
Entry Point: 00000000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
[ 0.000000] Booting Linux on physical CPU 0
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 3.4.2-3.fc17.armv5tel.kirkwood (mockbuild@hsv-trimslice-8-v5tel.farm.hsv.redhat.com) (gcc version 4.7.0 20120507 (Red Hat 4.7.0-5) (GCC) )2
[ 0.000000] CPU: Feroceon 88FR131 [56251311] revision 1 (ARMv5TE), cr=00053977
[ 0.000000] CPU: VIVT data cache, VIVT instruction cache
[ 0.000000] Machine: Marvell GuruPlug Reference Board
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 130048
[ 0.000000] Kernel command line: console=ttyS0,115200 root=LABEL=rootfs rootwait
[ 0.000000] PID hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
[ 0.000000] Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] allocated 1048576 bytes of page_cgroup
[ 0.000000] please try 'cgroup_disable=memory' option if you don't want memory cgroups
[ 0.000000] Memory: 512MB = 512MB total
[ 0.000000] Memory: 501352k/501352k available, 22936k reserved, 0K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[ 0.000000] vmalloc : 0xe0800000 - 0xff000000 ( 488 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xe0000000 ( 512 MB)
[ 0.000000] pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
[ 0.000000] modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
[ 0.000000] .text : 0xc0008000 - 0xc05db798 (5966 kB)
[ 0.000000] .init : 0xc05dc000 - 0xc0622000 ( 280 kB)
[ 0.000000] .data : 0xc0622000 - 0xc06778e0 ( 343 kB)
[ 0.000000] .bss : 0xc0677904 - 0xc0751e2c ( 874 kB)
[ 0.000000] SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:114
[ 0.000000] gpiochip_add: registered GPIOs 0 to 31 on device: orion_gpio0
[ 0.000000] gpiochip_add: registered GPIOs 32 to 49 on device: orion_gpio1
[ 0.000000] sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 21474ms
[ 0.000000] Console: colour dummy device 80x30
[ 1.190232] Calibrating delay loop... 1191.11 BogoMIPS (lpj=5955584)
[ 1.280163] pid_max: default: 32768 minimum: 301
[ 1.280270] Security Framework initialized
[ 1.280316] SELinux: Initializing.
[ 1.280539] Mount-cache hash table entries: 512
[ 1.281084] Initializing cgroup subsys cpuacct
[ 1.281097] Initializing cgroup subsys memory
[ 1.281125] Initializing cgroup subsys devices
[ 1.281135] Initializing cgroup subsys freezer
[ 1.281144] Initializing cgroup subsys net_cls
[ 1.281152] Initializing cgroup subsys blkio
[ 1.281171] Initializing cgroup subsys perf_event
[ 1.281245] CPU: Testing write buffer coherency: ok
[ 1.281318] ftrace: allocating 17933 entries in 36 pages
[ 1.308469] Setting up static identity map for 0x430670 - 0x4306ac
[ 1.309419] devtmpfs: initialized
[ 1.310737] atomic64 test passed
[ 1.310922] NET: Registered protocol family 16
[ 1.311450] Kirkwood: MV88F6281-A0, TCLK=200000000.
[ 1.311464] Feroceon L2: Cache support initialised, in WT override mode.
[ 1.316943] bio: create slab <bio-0> at 0
[ 1.317395] vgaarb: loaded
[ 1.317704] SCSI subsystem initialized
[ 1.318083] usbcore: registered new interface driver usbfs
[ 1.318135] usbcore: registered new interface driver hub
[ 1.318249] usbcore: registered new device driver usb
[ 1.318860] NetLabel: Initializing
[ 1.318871] NetLabel: domain hash size = 128
[ 1.318878] NetLabel: protocols = UNLABELED CIPSOv4
[ 1.318926] NetLabel: unlabeled traffic allowed by default
[ 1.319020] Switching to clocksource orion_clocksource
[ 1.338897] NET: Registered protocol family 2
[ 1.339130] IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 1.339528] TCP established hash table entries: 16384 (order: 5, 131072 bytes)
[ 1.339884] TCP bind hash table entries: 16384 (order: 4, 65536 bytes)
[ 1.340065] TCP: Hash tables configured (established 16384 bind 16384)
[ 1.340074] TCP: reno registered
[ 1.340085] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 1.340108] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 1.340321] NET: Registered protocol family 1
[ 1.340556] Unpacking initramfs...
[ 2.248424] Freeing initrd memory: 9872K
[ 2.249086] audit: initializing netlink socket (disabled)
[ 2.249150] type=2000 audit(1.050:1): initialized
[ 2.358864] VFS: Disk quotas dquot_6.5.2
[ 2.359117] Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
[ 2.361078] msgmni has been set to 998
[ 2.362832] alg: No test for stdrng (krng)
[ 2.362856] NET: Registered protocol family 38
[ 2.363059] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[ 2.363202] io scheduler noop registered
[ 2.363213] io scheduler deadline registered
[ 2.363248] io scheduler cfq registered (default)
[ 2.363722] mv_xor_shared mv_xor_shared.0: Marvell shared XOR driver
[ 2.363767] mv_xor_shared mv_xor_shared.1: Marvell shared XOR driver
[ 2.399150] mv_xor mv_xor.0: Marvell XOR: ( xor cpy )
[ 2.439149] mv_xor mv_xor.1: Marvell XOR: ( xor fill cpy )
[ 2.479146] mv_xor mv_xor.2: Marvell XOR: ( xor cpy )
[ 2.519148] mv_xor mv_xor.3: Marvell XOR: ( xor fill cpy )
[ 2.519492] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 2.540252] serial8250.0: ttyS0 at MMIO 0xf1012000 (irq = 33) is a 16550A
[ 3.052289] console [ttyS0] enabled
[ 3.060012] loop: module loaded
[ 3.063653] Fixed MDIO Bus: probed
[ 3.067291] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 3.073915] orion-ehci orion-ehci.0: Marvell Orion EHCI
[ 3.079361] orion-ehci orion-ehci.0: new USB bus registered, assigned bus number 1
[ 3.109081] orion-ehci orion-ehci.0: irq 19, io mem 0xf1050000
[ 3.129060] orion-ehci orion-ehci.0: USB 2.0 started, EHCI 1.00
[ 3.135070] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[ 3.141909] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 3.149174] usb usb1: Product: Marvell Orion EHCI
[ 3.153898] usb usb1: Manufacturer: Linux 3.4.2-3.fc17.armv5tel.kirkwood ehci_hcd
[ 3.161425] usb usb1: SerialNumber: orion-ehci.0
[ 3.166535] hub 1-0:1.0: USB hub found
[ 3.170332] hub 1-0:1.0: 1 port detected
[ 3.174548] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 3.180814] uhci_hcd: USB Universal Host Controller Interface driver
[ 3.187434] usbcore: registered new interface driver usbserial
[ 3.193356] usbcore: registered new interface driver usbserial_generic
[ 3.199961] USB Serial support registered for generic
[ 3.205033] usbserial: USB Serial Driver core
[ 3.209597] mousedev: PS/2 mouse device common for all mice
[ 3.215752] rtc-mv rtc-mv: rtc core: registered rtc-mv as rtc0
[ 3.222169] device-mapper: uevent: version 1.0.3
[ 3.227116] device-mapper: ioctl: 4.22.0-ioctl (2011-10-19) initialised: dm-devel@redhat.com
[ 3.235748] cpuidle: using governor ladder
[ 3.239957] cpuidle: using governor menu
[ 3.244503] usbcore: registered new interface driver usbhid
[ 3.250113] usbhid: USB HID core driver
[ 3.254348] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 3.259752] TCP: cubic registered
[ 3.263079] Initializing XFRM netlink socket
[ 3.268066] NET: Registered protocol family 10
[ 3.273455] Mobile IPv6
[ 3.275920] NET: Registered protocol family 17
[ 3.280420] Registering the dns_resolver key type
[ 3.285751] registered taskstats version 1
[ 3.290175] rtc-mv rtc-mv: setting system clock to 2012-12-07 23:02:23 UTC (1354921343)
[ 3.298265] Initializing network drop monitor service
[ 3.304404] Freeing init memory: 280K
[ 3.489123] usb 1-1: new high-speed USB device number 2 using orion-ehci
[ 3.613561] dracut: dracut-018-53.git20120605.fc17
[ 3.654993] usb 1-1: New USB device found, idVendor=05e3, idProduct=0608
[ 3.661755] usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0
[ 3.668928] usb 1-1: Product: USB2.0 Hub
[ 3.693305] hub 1-1:1.0: USB hub found
[ 3.707268] hub 1-1:1.0: 4 ports detected
[ 3.834990] udevd[82]: starting version 182
[ 3.989399] usb 1-1.1: new high-speed USB device number 3 using orion-ehci
[ 4.121115] usb 1-1.1: New USB device found, idVendor=05e3, idProduct=0726
[ 4.128030] usb 1-1.1: New USB device strings: Mfr=0, Product=1, SerialNumber=2
[ 4.135395] usb 1-1.1: Product: USB Storage
[ 4.139631] usb 1-1.1: SerialNumber: 000000009909
[ 4.166480] mmc0: mvsdio driver initialized, lacking card detect (fall back to polling)
[ 4.199643] sata_mv sata_mv.0: slots 32 ports 1
[ 4.226739] scsi0 : sata_mv
[ 4.229883] ata1: SATA max UDMA/133 irq 21
[ 4.247197] mmc0: new high speed SDIO card at address 0001
[ 4.470252] Initializing USB Mass Storage driver...
[ 4.480216] scsi1 : usb-storage 1-1.1:1.0
[ 4.485893] usbcore: registered new interface driver usb-storage
[ 4.491959] USB Mass Storage support registered.
[ 4.579076] ata1: SATA link down (SStatus 0 SControl F300)
[ 5.500326] scsi 1:0:0:0: Direct-Access Generic STORAGE DEVICE 9909 PQ: 0 ANSI: 0
[ 5.509062] scsi 1:0:0:1: Direct-Access Generic STORAGE DEVICE 9909 PQ: 0 ANSI: 0
[ 5.523538] sd 1:0:0:0: [sda] Attached SCSI removable disk
[ 5.529763] sd 1:0:0:0: Attached scsi generic sg0 type 0
[ 5.543877] sd 1:0:0:1: Attached scsi generic sg1 type 0
[ 5.550031] sd 1:0:0:1: [sdb] 15661056 512-byte logical blocks: (8.01 GB/7.46 GiB)
[ 5.564535] sd 1:0:0:1: [sdb] Write Protect is off
[ 5.574652] sd 1:0:0:1: [sdb] No Caching mode page present
[ 5.580204] sd 1:0:0:1: [sdb] Assuming drive cache: write through
[ 5.597768] sd 1:0:0:1: [sdb] No Caching mode page present
[ 5.603322] sd 1:0:0:1: [sdb] Assuming drive cache: write through
[ 5.617724] sdb: sdb1 sdb2
[ 5.624765] sd 1:0:0:1: [sdb] No Caching mode page present
[ 5.630311] sd 1:0:0:1: [sdb] Assuming drive cache: write through
[ 5.636433] sd 1:0:0:1: [sdb] Attached SCSI removable disk
[ 6.064171] EXT4-fs (sdb2): mounted filesystem with ordered data mode. Opts: (null)
[ 6.213884] dracut: Checking ext4: /dev/disk/by-label/rootfs
[ 6.221178] dracut: issuing e2fsck -a /dev/disk/by-label/rootfs
[ 6.320801] dracut: rootfs: clean, 19221/82720 files, 143206/330527 blocks
[ 6.331378] dracut: Remounting /dev/disk/by-label/rootfs with -o ro
[ 6.403590] EXT4-fs (sdb2): mounted filesystem with ordered data mode. Opts: (null)
[ 6.442142] dracut: Mounted root filesystem /dev/sdb2
[ 6.618668] dracut: Switching root
[ 6.954168] type=1404 audit(1354921347.150:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 9.383509] SELinux: Permission ptrace_child in class process not defined in policy.
[ 9.391894] SELinux: the above unknown classes and permissions will be allowed
[ 9.413586] type=1403 audit(1354921349.610:3): policy loaded auid=4294967295 ses=4294967295
Welcome to Fedora 17 (Beefy Miracle)!
Started Replay Read-Ahead Data [ OK ]
Starting Collect Read-Ahead Data...
[ 10.529224] systemd-readahead-collect[184]: Failed to mark /: Invalid argument
Starting Media Directory...
Started Lock Directory [ OK ]
Starting Runtime Directory...
Starting udev Coldplug all Devices...
Starting udev Kernel Device Manager...
Starting Journal Service...
Started Journal Service [ OK ]
Starting POSIX Message Queue File System...
Starting Security File System...
Starting Debug File System...
Started Huge Pages File System [ OK ]
Started Collect Read-Ahead Data [ OK ]
Started Media Directory [ OK ]
Started Runtime Directory [ OK ]
Started POSIX Message Queue File System [ OK ]
Started Security File System [ OK ]
Started Debug File System [ OK ]
Started Load legacy module configuration [ OK ]
Starting Remount API VFS...
[ 11.458209] udevd[191]: starting version 182
Starting Setup Virtual Console...
Started Load Kernel Modules [ OK ]
Starting Configuration File System...
Started FUSE Control File System [ OK ]
Starting Apply Kernel Variables...
Started Set Up Additional Binary Formats [ OK ]
Started File System Check on Root Device [ OK ]
Starting Remount Root FS...
Started Configuration File System [ OK ]
Started udev Kernel Device Manager [ OK ]
Started Remount API VFS [ OK ]
Started Apply Kernel Variables [ OK ]
Started udev Coldplug all Devices [ OK ]
Starting udev Wait for Complete Device Initialization...
[ 12.038578] EXT4-fs (sdb2): re-mounted. Opts: (null)
Started Remount Root FS [ OK ]
Started Import network configuration from initramfs [ OK ]
Starting Configure read-only root support...
Started Setup Virtual Console [ OK ]
Started Configure read-only root support [ OK ]
[ 12.585826] mv643xx_eth: MV-643xx 10/100/1000 ethernet driver version 1.4
[ 12.625971] mv643xx_eth smi: probed
[ 12.733613] cfg80211: Calling CRDA to update world regulatory domain
[ 12.778344] mv643xx_eth_port mv643xx_eth_port.0: eth0: port 0 with MAC address f0:ad:4e:00:1a:0f
[ 12.801634] Bluetooth: Core ver 2.16
[ 12.805297] NET: Registered protocol family 31
[ 12.809820] Bluetooth: HCI device and connection manager initialized
[ 12.838886] libertas_sdio: Libertas SDIO driver
[ 12.843485] libertas_sdio: Copyright Pierre Ossman
[ 12.901533] NAND device: Manufacturer ID: 0xec, Chip ID: 0xdc (Samsung NAND 512MiB 3,3V 8-bit)
[ 12.982726] Scanning device for bad blocks
[ 13.240218] Bad eraseblock 3391 at 0x00001a7e0000
[ 13.294579] Bad eraseblock 4056 at 0x00001fb00000
[ 13.315868] Bluetooth: HCI socket layer initialized
[ 13.339107] Bluetooth: L2CAP socket layer initialized
[ 13.344205] Bluetooth: SCO socket layer initialized
Starting /boot/uboot...
[ 14.289722] Creating 3 MTD partitions on "orion_nand":
[ 14.300007] 0x000000000000-0x000000100000 : "u-boot"
[ 14.316201] 0x000000100000-0x000000500000 : "uImage"
[ 14.328043] 0x000000500000-0x000020000000 : "root"
[ 14.347901] cfg80211: World regulatory domain updated:
[ 14.353127] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 14.361385] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 14.369180] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 14.376963] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 14.384776] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 14.392565] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 14.420967] mv643xx_eth_port mv643xx_eth_port.1: eth1: port 0 with MAC address 02:50:43:97:88:b6
Started /boot/uboot [ OK ]
Started udev Wait for Complete Device Initialization [ OK ]
Starting Wait for storage scan...
[ 44.868174] libertas_sdio: failed to load firmware
[ 44.873416] libertas_sdio: probe of mmc0:0001:1 failed with error -5
[ 44.889239] Bluetooth: vendor=0x2df, device=0x9105, class=255, fn=2
Started Wait for storage scan [ OK ]
Starting Initialize storage subsystems (RAID, LVM, etc.)... [ 44.964267] Bluetooth: request_firmware(helper) failed, error code = -2
[ 44.971960] Bluetooth: Failed to download helper!
[ 44.978023] Bluetooth: Downloading firmware failed!
Started Initialize storage subsystems (RAID, LVM, etc.) [ OK ]
Starting Initialize storage subsystems (RAID, LVM, etc.)...
Started Initialize storage subsystems (RAID, LVM, etc.) [ OK ]
Started Mark the need to relabel after reboot [ OK ]
Started Relabel all filesystems, if necessary [ OK ]
Started Reconfigure the system on administrator request [ OK ]
Starting Recreate Volatile Files and Directories...
Starting Load Random Seed...
Starting Tell Plymouth To Write Out Runtime Data...
Started Load Random Seed [ OK ]
Started Tell Plymouth To Write Out Runtime Data [ OK ]
Started Recreate Volatile Files and Directories [ OK ]
Starting Network Manager...
Starting Command Scheduler...
Started Command Scheduler [ OK ]
Starting Root Filesystem Auto-Resizer...
Starting Wait for Plymouth Boot Screen to Quit...
Starting Login Service...
Starting System Logging Service...
Starting Permit User Sessions...
Starting Terminate Plymouth Boot Screen...
Starting LSB: Bring up/down networking...
Starting D-Bus System Message Bus...
Started Wait for Plymouth Boot Screen to Quit [ OK ]
Started Permit User Sessions [ OK ]
Started Terminate Plymouth Boot Screen [ OK ]
Starting Getty on tty1...
Started Getty on tty1 [ OK ]
Starting Serial Getty on ttyS0...
Started Serial Getty on ttyS0 [ OK ]
Stopped systemd-kmsg-syslogd.service [ OK ]
Started System Logging Service [ OK ]
Started D-Bus System Message Bus [ OK ]
Fedora release 17 (Beefy Miracle)
Kernel 3.4.2-3.fc17.armv5tel.kirkwood on an armv5tel (ttyS0)
Root password is 'fedoraarm'
fedora-arm login: Started Login Service [ OK ]
Started Root Filesystem Auto-Resizer [ OK ]
Started Network Manager [ OK ]
Starting Network Manager Wait Online...
[ 54.174631] ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 54.283532] ADDRCONF(NETDEV_UP): eth1: link is not ready
network[323]: Bringing up loopback interface: [ OK ]
network[323]: Bringing up interface eth0: Error: Connection activation failed: Device not managed by NetworkManager or unavailable
network[323]: [FAILED]
Failed to start LSB: Bring up/down networking [FAILED]
See 'systemctl status network.service' for details.
Started Load static arp entries [ OK ]
Failed to start Network Manager Wait Online [FAILED]
See 'systemctl status NetworkManager-wait-online.service' for details.
Starting Set time via NTP...
Starting OpenSSH server daemon...
Starting RPC bind service...
Started RPC bind service [ OK ]
Starting NFS file locking service....
[ 85.693184] RPC: Registered named UNIX socket transport module.
[ 85.699338] RPC: Registered udp transport module.
[ 85.704061] RPC: Registered tcp transport module.
[ 85.708788] RPC: Registered tcp NFSv4.1 backchannel transport module.
Started NFS file locking service. [ OK ]
Started OpenSSH server daemon [ OK ]
Failed to start Set time via NTP [FAILED]
See 'systemctl status ntpdate.service' for details.
Starting Network Time Service...
Started Network Time Service [ OK ]
Fedora release 17 (Beefy Miracle)
Kernel 3.4.2-3.fc17.armv5tel.kirkwood on an armv5tel (ttyS0)
Root password is 'fedoraarm'
fedora-arm login:
Fedora release 17 (Beefy Miracle)
Kernel 3.4.2-3.fc17.armv5tel.kirkwood on an armv5tel (ttyS0)
6) Plug in the network cable, you should have the output, like below:
[root@fedora-arm ~]# [548.670821] mv643xx_eth_port mv643xx_eth_port.0: eth0: link up, 100 Mb/s, full duplex, flow control disabled
[548.680885] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
7) Login to the system as an admin root, with password fedoraarm.
8) Enable the necessary services
service sshd start
service rsyslog start
service iptables start
Case Example
I setup three VMs in my host machine, below is the diagram:
Three VMs are Web server, Email server, and DNS server
Guruplug Firewall
eth0=142.14.160.xx (external IP address obtains from ISP)
eth1=192.168.1.1 (internal IP address)
Host network interface
em1: 192.168.1.125
Virtual Machines:
Web server: 192.168.122.80
DNS server: 192.168.122.53
Email server: 192.168.122.25
1) Enable IP forwarding in Guruplug firewall and host machine
a. Verify the internal client and server can connect outside servers, so we need to enable the iptables port forwarding
· cat /proc/sys/net/ipv4/ip_forward
· The IP forwarding function will automatically turn off when the system reboot, so we need to enable the sysctl.conf file permanently.
· [root@ fedora-arm ~]# vi /etc/sysctl.conf
· set net.ipv4.ip_forward = 1
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
NM_CONTROLLED=yes
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1
3) Setup the interface eth0
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
NM_CONTROLLED=yes
4) You can modify the rules that fit your home or company needs. The same script Guruplug-fw.sh already saves in the release 0.3 image in the root directory. Below is the reference bash shell script for the firewall setup in Guruplug.
#!/bin/bash
# Clear any previous rules.
/sbin/iptables -F
# Default drop policy.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
# Drop any tcp packet that does not start a connection with a syn flag, and prevent synflood attack
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
/sbin/iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
# Drop any invalid packet that could not be identified.
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
# Drop invalid packets that match below the tcp flags
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST-j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
# Drop broadcasts, private, local IP address, which is to against spoofed IP attack
/sbin/iptables -A INPUT -s 10.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 169.254.0.0/16 -j DROP
/sbin/iptables -A INPUT -s 172.16.0.0/12 -j DROP
/sbin/iptables -A INPUT -s 127.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -d 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -s 240.0.0.0/5 -j DROP
/sbin/iptables -A INPUT -d 240.0.0.0/5 -j DROP
/sbin/iptables -A INPUT -s 0.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -d 0.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -d 239.255.255.0/24 -j DROP
/sbin/iptables -A INPUT -d 255.255.255.255 -j DROP
# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow only ICMP echo requests (ping) in. Limit rate in.
/sbin/iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -j ACCEPT
# or block ICMP allow only ping out, prevent ICMP attacking
/sbin/iptables -A INPUT -p icmp -m state --state NEW -j DROP
/sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow only connections that reaches to web server, email server, and the dns server
/sbin/iptable -A FORWARD -p tcp -i eth0 -d 192.168.122.80 --dport 80 -j ACCEPT -m state --state NEW
/sbin/iptable -A FORWARD -p tcp -i eth0 -d 192.168.122.80 --dport 443 -j ACCEPT -m state --state NEW
/sbin/iptable -A FORWARD -p tcp -i eth0 -d 192.168.122.53 --dport 53 -j ACCEPT -m state --state NEW
/sbin/iptable -A FORWARD -p tcp -i eth0 -d 192.168.122.25 --dport 25 -j ACCEPT -m state --state NEW
# Allow the server connections out
/sbin/iptable -A FORWARD -p tcp -i eth1 -s 192.168.122.80 --sport 80 -j ACCEPT -m state --state ESTABLISH,RELATED
/sbin/iptable -A FORWARD -p tcp -i eth1 -s 192.168.122.80 --sport 443 -j ACCEPT -m state --state ESTABLISH,RELATED
/sbin/iptable -A FORWARD -p tcp -i eth1 -s 192.168.122.53 --sport 53 -j ACCEPT -m state --state ESTABLISH,RELATED
/sbin/iptable -A FORWARD -p tcp -i eth1 -s 192.168.122.25 --sport 25 -j ACCEPT -m state --state ESTABLISH,RELATED
# Allow ssh connections in and out with limit 2 minutes
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 2/m -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISH -m limit --limit 2/m -j ACCEPT
# Drop everything that did not match above or drop and log it.
/sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "IPTABLES_INPUT: "
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A FORWARD -j LOG --log-level 4 --log-prefix "IPTABLES_FORWARD: "
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "IPTABLES_OUTPUT: "
/sbin/iptables -A OUTPUT -j ACCEPT
5) Install useful firewall packages into the image
nufw.armv5tel Authentication Firewall suite for linux
shorewall.noarch An iptables front end for firewall configuration
shorewall-lite.norch Shorewall firewall for compiled rule sets
libfwbuilder-devel.arm5tel Firewall builder API libraries and header files
6) I use the command dd to convert the micro SD card partition back to img file, and upload the server for downloading. You could use dd to transfer back into the micro SD card.
dd if=/dev/sdb of=Guruplug-fw.img
7) This is the link for download the image;
http://dl.dropbox.com/u/55298330/Guruplug-fw.img
http://dl.dropbox.com/u/55298330/Guruplug-fw.img
No comments:
Post a Comment