Trustix™ FAQs

Trustix™ Enterprise Firewall Existing User Update. Click here for instructions

Q. I cannot su as root, why is this?
A. In order to su as root you will need to comment out the ‘permit root login’ line in etc/ssh/sshd_conf.
Then save the file and do ‘service sshd restart’
Q: I just put in my order for the 30-day trial of Trustix™ Office Server / Firewall. Where do I download it from?
A: You will be contacted shortly, via a separate email. This will contain the links to the CD image .isos and .md5 sums, as well as your trial eTicket
Q: How do I manually install the licence.key file on a Trustix™ machine?
A: Copy the file onto the Trustix™ box itself (floppy, email, USB drive etc.). Then save it as 'license.key' in the following location: '/etc/opt/XPloy/'
Q: How do I SSH into a Trustix™ Firewall?
A: On the firewall, SSH is restricted to being accessed from only the 'Allowed' administration IP addresses. These can be set from the 'Edit Firewall Users' menu. Also note that the SSH daemon runs on port 350, NOT port 22.
Q: What kind of networking hardware is usable with Trustix?
A: A (fairly) comprensive Hardware Compatibility List is available at: http://hardware.trustix.org
Q: I can't properly install Firewall on my machine, there is an error message about network cards!
A: To install Firewall, the machine must have at least 2 network cards.
Q: I can't find the root password or default password for Trustix!
A: The default root password is 'trustix'. The username on the shell is 'admin', via XSentry. To log into the console on the Firewall, the password is also 'trustix'.
Q: Can I dual boot Trustix?
A: No, not easily. Also, Trustix™ is intended as a server OS, so it is not designed to be used in dual-booting situations.
Q: I have installed Firewall, but the machine wont ping.
A: By default, the Firewall is configured not to respond to ICMP Echo requests (pings). This can be switched on and off via the interface on the firewall itself. The option is 'Enable/Disable Ping Testing'
Q: Does SWUP run automatically at set intervals?
A: No, it is up to the server administrator how often they run the SWUP upgrade system.
Q. Does the Firewall include any Intrusion Detection Features?
A. Not at this time however it is a possible enhancement for future releases.
Q. Does the Firewall include any reporting feature for the Squid proxy usage?
A. Not at this time however it is a possible enhancement for future releases
Q. Is it possible to have several public IP addresses connected to the WAN Ethernet card (the feature is sometimes called 1-1 NAT)?
A. Yes, this is available on XSentry through two routes.
1. Create a server or server class entity in an internal zone, and enter an IP address in the property field 'NAT Alias'. That IP address will be picked up and set as an alternate IP address on the WAN interface if an ALLOW rule from (an entity in) the WAN zone is created pointing to the server/server class.
In these cases, a standard access rule will be created from the source point to the destination point of the rule, and in addition a Destination NAT (1-1 or Static NAT) rule will be set up to forward all relevant traffic destined for the NAT Alias IP address to the actual (often private) IP address of the server or servers in the server class.
2. Create a 'Destination NAPT' rule from (an entity in) the WAN onto a host or hostfolder entity in a local zone, and enter an IP address in the 'NAT Alias' property field. This works similar to 1., but will in addition set the rules to only translate traffic destined to the NAT Alias IP AND the given 'source port' in the rule's property dialog, and translate both the IP address to that of the entity inside, AND also the destination port of the packet to the 'destination port' in the property dialog.
For 1. and 2. with serverclass or hostfolder entities as destination, the rules will be set up to effect a simple, round-robin load balancing over the servers contained.
Q. I cannot connect from the XSentry Client to the Firewall, what can cause this?
A. If the gateway is not set to be the firewall, or if an aliased (or secondary) IP address is used on the client PC, it is quite possible to ping the firewall from the client and to ssh into the firewall from the client, however the XSentry client software will still not connect unless BOTH the gateway address is set correctly (to be the IP address of the NIC on the firewall to which the client is connected) and the primary IP address of the client is the IP set on the firewall to be allowed to login as the user.
Q. I am having problems with a multi-processor machine using Trustix, what could be the problem?
A. The most likely problem is the installer works but the system does not boot afterwards.

This can happen for three reasons:

  1. The boot loader does not work/was not installed properly. This can be easily verified; if you get a list of kernels to boot, the boot loader works.

  2. The kernel of the installer is single CPU and there is a problem with SMP. The best way of testing this is to try to boot a kernel without "smp" in the name.

  3. The kernel of the installer is compiled with different options than the normal kernel to save space. The prime suspect is the APIC, so giving "noapic" to the kernel upon boot is the first thing to try.
Q. What is the minimum bandwidth I need to administer the firewall through the internet connection?
A. This depends on the traffic of course, but 64 Kbit is the absolute minimum. We advise you to have minimum 128 Kbit if possible. The most critical situation is when you transfer rules from the client to the firewall.
Q. How do I set up PING service in the XSentry client ?
A. Add the PING service in the internet zone, and drag a rule from LAN to this service. Remember to transfer the rules.
Q. Users in a subnet in the LAN zone can not browse the internet. Why not?
A. You have to drag rules directly from the subnet to the DNS service on the internet, and also a rule to the http service on the internet.
Q. Is there a second Admin possible on the XSentry firewall?
A. There can be several Admin's on the XSentry firewall. They can be connected through the Internet as well as on the LAN. They must however have a static IP address. Also the same user cannot be connected from more than one client computer at a time. And no more than one user may be connected at a time from a client computer.
Q. Can I install XSentry firewall on other Linux-distributions?
A. No, the XSentry firewall has a special Trustix Secure Linux (TSL) included.
Q. Can I use ISA network cards on XSentry firewall?
A. No, we have decided not to support ISA network cards anymore.
Q. The XSentry firewall is working just fine, except I do not seem to be able to receive any mail any more. I added the pop3 service in the internet zone, but that does not seem to resolve the problem. I can send mail, but as long as the firewall is running I do not receive any.
A. If your LAN is on a private network you have to use an SNAT rule. Private IP's and "allow" rules wont work Remove allow to pop, then create an SNAT rule instead.
Q. Which ports needs to be opened to administer an XSentry Firewall from outside of your own Firewall ?
A. If you want to remotely administer an XSentry Firewall, you will have to open port 1976 in your own Firewall to be able to access the remote firewall with the XSentry client.
Q. What will happen if I Use an allow-rule from the LAN zone directly to the Internet-zone ?
A. If you set an allow rule from the LAN zone directly to the Internet-zone you have to remember that this allows both TCP and UDP. This can be exploited, and gives people on the outside of the network the possibility to scan your internal network.
Q. I cannot connect to the Xsentry firewall server from the client?
A. Check that the IP-address for the eth1(Lan-node) is used as the default gateway on the pc that you are running the client from.
Q. Which Windows versions do you recommend for the XSentry client?
A. Windows 2000 or higher, NT4 (with SP6)
Q. Dynamic or Static - NAT IPSEC?
A. If you have static or dynamic network behind the firewall should not be a problem, but the firewalls that hold the VPN connection between each other, must have static IP addresses. Though there is no NAT from one internal network to the other network through the VPN connection
Q. What if you change network cards inside the Xsentry server? Does Xsentry recognize the new card automatically? if not and I have to reinstall? and what about the license if you change the ethernet card on the gateway to the internet?
A. If you remove one network adapter and re-insert a new card of the same type, no re-install is needed. But if another brand is inserted, you may have to re-install, because the network cards may appear in a different sequence than before.
If you have to install a new ETH0 NIC (card to the internet-zone), you have to send us (support@trustix.com) your system-key (as provided during first application, but now for new card) and we will return your mail with a new valid key included. This is because the license also includes information from the MAC address on ETH0 NIC.
Q. What Linux-distribution can I use for the Linux client?
A. RedHat 6.2/7.0 etc, Mandrake 7.1 / 7.2 / 8.0 etc and SuSE 6.4 / 7.0 etc "X" is needed, of course
Q. Can VPN tunnels go through XSentry firewalls?
A. Yes, normally this is not a problem
Q. Does the Firewall support PPPoE?
A. At this time (July 2004) the firewall does not support PPPoE, it will be included in a future release.
Q. What are the minimum system requirements for the Trustix range?
A. The processor and RAM are the same for all products, P90+ and 32mb respectively.
The minimum recommended disk size for each product is below:
Web Server - 8Gb
LAN Server - 4Gb
Mail Server - 4Gb
Proxy Server - 8Gb
Firewall - 4gb
Office Server - 8Gb

Back To Top