Debian on a Stonesoft FW-300 (some they came back)

At the Associazione per le Libertà Informatiche e Digitali (the site is only in Italian) more the one year ago we started a project to spread the use of free educational software in schools, one part of the project is to help teachers in the day to day administration laboratories’ PCs and of the filtering proxy. Schools taking part at the project are more and more and we need some way to access PCs from remote so that our volunteers do not need to go to schools in person. The first solution we tried was ssh on a strange port with only key authentication but in many situation school networks are behind firewalls or worst connect to ISPs that does not provide them with public address. The solution is to install OpenVPN. I did some experiments with OpenVPN at home so we decided to go on, but we have to cope another challenge: ALID base is shared with other groups and we cannot leave a noise PC switched on 24/7. The solution to this second problem was the Stonesoft FW-300 I
successfully installed Debian in August.
As I tried also to install zeroconf on that hardware I need to reinstall Debian and, I’m sad to say that, the installation was a little bit tricky so I report the most significant task I did in the hope this will be usefull for someone else.

  1. I downloaded boot.img.gz from:
  2. I gunziped the image on a USB thumb drive following the Installation guide (i.e.: zcat boot.img.gz > /dev/sdb)
  3. I edited syslinux.cfg so that now it looks like the following:
    [cc lang=”bash”]# D-I config version 2.0
    SERIAL 0 9600 0
    include menu.cfg
    #default vesamenu.c32
    prompt 0
    timeout 0[/cc]
    Note that it may be not necessary to comment out vesamenu.c32 but I did.
  4. I downloaded netinst.iso from and copied it on the USB drive
  5. I configured minicom starting it as root with the -s parameter. I also tried to use gtkterm (which I find more user friendly that minicom) but for some strange reason I cannot understand I was unable to have a fully function VT102 terminal and I was not able to edit files using gtkterm.
  6. I started the stonesoft using with the USB drive inserted (follow my previous article to setup Stonesoft FW-300 to start from USB) and followed all installer steps till grub install
  7. grub installer failed as it tried to install on /dev/sda that is the USB drive. I entered the command prompt from the installer menu followed the usual GRUB recovery procedure and installed grub in /dev/sdb. The usual recovery procedure is (as /dev/sdb1 was already mounted as /target from the installer):

    mount –bind /dev /target/dev
    mount –bind /proc /target/proc
    mount –bind /sys /target/sys
    chroot /target /bin/bash
    rgub-install /dev/sdb

  8. Even though grub-installer did not failed I would have to enter chroot to customize /etc/default/grub to instruct grub to use the serial console. I edited the file so tha now it looks like this:
    [cc lang=”bash”]# If you change this file, run ‘update-grub’ afterwards to update
    # /boot/grub/grub.cfg.

    GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
    GRUB_CMDLINE_LINUX_DEFAULT=”console=tty0 console=ttyS0,9600n8″

    # Uncomment to disable graphical terminal (grub-pc only)
    GRUB_SERIAL_COMMAND=”serial –speed=9600 –unit=0 –word=8 –parity=no –stop=1″

    # The resolution used on graphical terminal
    # note that you can use only modes which your graphic card supports via VBE
    # you can see them in real GRUB with the command `vbeinfo’

    # Uncomment if you don’t want GRUB to pass “root=UUID=xxx” parameter to Linux
    after exiting the editor I issued a update-grub.

  9. I exited the chroot, than the console to come back to installer menu
  10. I select not to install a bootloader and ended the installation. Note that grub unsuccessfull install was necessary to have grub installed by debian-installer.
  11. I rebooted the firewall just to be sure everything was ok

In near future I’ll report about OpenVPN installation.


In questi giorni sto preparando uno script che scarica le liste dei siti da vietare da shallalist e crea la configurazione per squidguard. Il prossimo passo è la copia dei file nel posto giusto e la rigenerazione dei DB.
Per ora la prima versione è così:

#!/usr/bin/env python

"""File downloading from the web.

def download(url):
"""Copy the contents of a file from a given URL
to a local file.
import urllib
webFile = urllib.urlopen(url)
localFile = open(url.split('/')[-1], 'w')

if __name__ == '__main__':
# download(

import tarfile
compressedFile ='shallalist.tar.gz')
fileList = []
fileList = compressedFile.getnames()
# elimino i file non necessari
# creo una lista con i nomi ripuliti di / finali e BL/ all'inizio'
clienList = []
for name in fileList:
# cerco i nomi di directory con sottodirectory
daCancellare = []
for c in clienList:
if c.endswith("/"):
if c[:len(c)-1].find("/"):
if c[:len(c)-1].split("/")[1:] != []:
# levo i dupplicati
ldc = list(set(daCancellare))
# cancello i nomi delle directory con sotto directory
for i in ldc:
if clienList.count(i+"/") >= 1:
configFile = open("squidGuard.conf", "w")
configFile.writelines("dbhome /usr/local/squidGuard/db\n")
configFile.writelines("logdir /usr/local/squidGuard/logs\n")
for c in clienList:
if c.endswith('/'):
configFile.writelines("dest " + c[:len(c)-1].replace("/","_") + " {\n")
if c.endswith("domains"):
configFile.writelines("\tdomainlist " + c + "\n")
if c.endswith("urls"):
configFile.writelines("\turllist " + c + "\n }\n")
configFile.writelines("acl {\n")
configFile.writelines("\tdefault {\n")
configFile.writelines("\t\tpass ")
for c in clienList:
if c.endswith('/'):
configFile.writelines("!"+ c[:len(c)-1] + " ")
configFile.writelines("\t\tredirect http://localhost/block.html\n")