building a redhat linux firewall – a user experience
DESCRIPTION
Building a RedHat Linux Firewall – A User Experience. USERblue San Francisco Session 6306. Abstract. - PowerPoint PPT PresentationTRANSCRIPT
Building a RedHat Linux Firewall – A User Experience
USERblueSan FranciscoSession 6306
Abstract
Linux makes an excellent firewall! It's in there! I kept hearing that, so when I needed a firewall to protect my home lan from all the badness on the Internet I started my quest for the ideal linux firewall. I'm now on version three, and not finished yet. Come hear my story, and perhaps take home a few ideas you can use when you connect your home or office to the Internet.
Disclaimer
Everybody has lawyers:
The ideas and concepts set forth in this presentation are solely those of the respective authors, and not of the companies and or vendors referenced within and these organizations do not endorse, guarantee, or otherwise certify any such ideas or concepts in application or usage. This material should be verified for applicability and correctness in each user environment. No warranty of any kind available.
Building your own firewall
It’s easy with linux But my recommendation is Don’t bother Unless you want to do it as a
learning experience or you’re REAL broke!
Buy a firewall
There are many vendors who make inexpensive SOHO firewall/routers.
For example, the LinkSys firewall/hub is currently available from amazon.com for $59.99 after a $10 mail in rebate. (and they throw in a free ethernet cable)
There are a LOT of options!
Buy a firewall
http://www.linksys.comhttp://www.netgear.comhttp://www.actiontec.comhttp://www.usr.comhttp://catalog.belkin.comhttp://www.cayman.comhttp://www.microliss.dehttp://www.2wire.com
Buy a firewall
www.cnet.com www.buy.com www.pricewatch.com
Go to any of these sites and search for “firewall”
My firewalls
First try – Redhat 5.2 with ipfwadm
Getting better – RedHat 6.2 with ipchains
Today – RedHat 7.3 with iptables/netfilter
Building your firewall
Hardware
Software
Hardware
Doesn’t have to be current or state of the art hardware
While you can use a 486 system, I would recommend a Pentium, any old Pentium.
You should be able to find a 100 to 400 Mhz Pentium motherboard almost anywhere in the used equipment market
Hardware
You need: Motherboard and processor Case/Power Supply to match Memory Video card/monitor Keyboard/mouse Floppy/CDROM drives Hard drive(s) (total space at least 1.5 Gb) 2 network cards
Hardware
Memory 32 MB minimum 64 MB good 128 MB better
None of the hardware needs to be “State of the Art”
Software
Several Options are available LRP (Linux Router Project) LEAF (Linux Imbedded Appliance
Firewall) CD-Linux DIY Many others, not mentioned here
Use google.com
Linux Router Project
www.linuxrouter.org Boots from a single floppy disk Minimum hardware required Based upon the 2.2 Linux Kernel Seems to be falling into disuse
Linux Imbedded Appliance Firewall (LEAF)
Follow-up to the Linux Router Project Single floppy boot image Also seems to based upon the 2.2
kernel For more information:
http://leaf.sourceforge.net/http://lrp.steinkuehler.net/
CD-Linux
Yet another Linux distribution One where the majority of the files can be
located on a read-only medium, such as CDROM.
More secure since there is no way to change the system without creating a new CD
Hard to keep current for the same reason www.cd-linux.org
Do it Yourself Things you will need
Basic Hardware RedHat Linux version 7.3 If you’re going to build it, you MUST
Protect it Keep it current
Do it Yourself Things you will need
To protect your system you need: TCP wrappers A log scanner A firewall configuration file Network Time Protocol Tripwire
To keep your system current you need: An rpm update manager
TCP Wrappers
Started from inetd Controls access to other daemons
started from inetd Uses configuration files to determine
access /etc/hosts.deny /etc/hosts.allow
Secure Shell
An implementation of the Secure Socket Layer (SSL)
Free for Educational and non-commercial use
Commercial version available Developed at The Helsinki University of
Technology Available on the Internet Included with RedHat Linux 7.0+
Secure Shell
Automatic authentication of users Multiple strong authentication methods Authentication of both ends of
connection Automatic authentication using agents Encryption and compression of data Tunneling and encryption of arbitrary
connections
Secure Shell
Cryptographic algorithms available Triple DES (Default) Blowfish Twofish Arcfour Idea Cast RSA
LogCheck
Linux logs a tremendous amount of info People just don’t read logs Most of what is in the logs is normal The normal stuff hides the important
stuff Let the computer read the logs and
separate the important stuff from the junk
LogCheck
Written by Craig Rowland Scans logs for interesting entries Free Now called LogSentry Available for download at
http://www.psionic.com/abacus/logcheck/ Runs hourly
LogCheck
LogCheck uses four configuration files logcheck.hacking logcheck.violations logcheck.violations.ignore logcheck.ignore
Files are applied in the order shown Every line is a “regular expression”
LogWatch
Another Log Analyzer Distributed standard with RedHat 7.2+ Written by Kirk Bauer <[email protected]> http://www.kaybee.org/~kirk Configuration files in /etc/log.d Runs once a day Does not appear to be as easily
configured as logcheck
Logrotate
Comes with RedHat Linux Debian does something Different Slackware doesn’t do this at all YMMV Freely available from Redhat.com
Should build on any version of Linux
Logrotate
Check and update /etc/logrotate.conf Allows for keeping old logs Keeps logs from filling up disk Different logs can have different
parameters Can also use files in the directory
/etc/logrotate.d
RPM Update Managers
Updateme Up2date Apt-rpm Autorpm
updateme
Locally written UGA utility Checks for new versions of software Can be configured to use any RedHat
distribution site Configuration file Command line argument
Support status uncertain
/usr/local/etc/updateme.cf
site=acs-mirror.ucsd.eduupdatedir=/linux/redhat/updates/7.3/en/os/i386
site=sunsite.unc.eduupdatedir=/pub/linux/distributions/redhat/updates/7.3/en/os/
i386
up2date
From RedHat Requires registration with RHN (RedHat
Network) Free for the first computer Subscription required for multiple
computers Requires X-11 on the computers to be
managed
APT-RPM
A port of the Debian APT (Advanced Package Tool) program used to manage updates.
Requires that the site providing the updates have a special “apt” index which must be created each time it’s content changes.
Not enough sites do this yet http://freshrpms.net/apt/ or Google
AutoRPM
By Kirk Bauer Can download updates for later
installation Can download and install updates Can do automatic updates or queue
for later Requires a bit of configuration work I like this one
Firewall configuration files
http://www.linux-firewall-tools.com/linux/
http://www.linuxguruz.org/iptables/
The script I have been using is available on this second web site as “IPTABLES Masquerading Firewall” or rc.firewall_023.txt
Firewall configuration files
I like this file for several reasons: It uses the “state” condition of
connections to determine if they are allowed or denied
It is more thorough in it’s handling of icmp traffic
It has provisions for port forwarding for services operated on machines located on the local network.
Download it
Tripwire
Monitors system for modified files Many versions, most commercial Tripwire for linux is open source
under GPL http://sourceforge.net/projects/tripwire
Distributed with RedHat 7.2+ tripwire-2.3.1-10.i386.rpm
Tripwire
Uses passwords and cryptographic signatures to protect configuration files
Default configuration may take some fixing Comes with many non-existent files defined Run it once and use the output to edit the
twpol.txt file. You probably also want to remove /root and /var/log from checking.
Run from cron once a day to audit system
Tripwire
When something changes Tripwire will find it. If it’s OK, then run:
tripwire --update –r /full/path/to/latest/report.twr
If it’s NOT OK, then you may have been compromised
Tripwire and AutoRPM may not play well together, giving some false positives
NTP (Network Time Protocol)
Developed by Dave Mills at The University of Deleware ([email protected])
Sets computer clock automagically Previous version is xntp-3.5.93 and is
on the RedHat 6.1 CDROM Current version is ntp-4.1.1 and is on
the RedHat 7.3 CDROM
NTP
Can set the clock from various sources Reference Time Standards Broadcast Standards (WWVB) GPS receivers Network
Configuration File /etc/ntp.conf
NTP
Network Time Standards Public vs Private Primary vs Secondary Server List
http://www.eecis.udel.edu/~mills/ntp/servers.htm
Pick a server near you Use a “Public” server Do NOT use a “Primary” Server
Backups
I’m usually a big fan of frequent backups, but in the case of the firewall, it really isn’t necessary.
Back up a few of the more critical files which would be a pain to re-create. The rest can be easily rebuilt. The main file I keep copies of is my firewall config file.
Sign up for a bug fix list
Go here and sign up for the redhat.com watch list. They will send you e-mail every time there is a bug fixed in RedHat linux. You NEED to know this…
https://listman.redhat.com/mailman/listinfo/redhat-watch-list/
References
LINUX HOWTO documents Should be on your Install CD, or from http://
metalab.unc.edu/LDP/
References
SSH http://www.ssh.com/ (commercial version) http://www.ssh.org/ (educational version)
LogCheck http://www.psionic.com/abacus/logcheck/
NTP RFC 1796 http://www.eecis.udel.edu/~ntp/
References
General Security References //www.alw.nih.gov/Security/security.html //www.usg.edu/oiit/support/security/ //csrc.ncsl.nist.gov/ //www.cert.org/
Firewall references
http://www.linux-firewall-tools.com/linux/http://www.fwtk.org/http://www.fwtk.org/mason/http://rcf.mvlan.net/http://tickle.unco.edu/cs442/weitzel/
research.htmlhttp://tickle.unco.edu/cs442/weitzel/execute.htmlhttp://www.linuxsecurity.com/feature_stories/
kernel-netfilter.html
Firewall Cookbook
A step by step how-to
Basic steps to perform
Assemble hardware Install operating system Clean up install and turn off
unnecessary services Install patches and set up autorpm More security stuff Install firewall configuration Final configuration
Actual installation
Assemble the hardware if necessary. Make boot disks if necessary Boot from CDROM or from floppy if
your bios doesn’t support booting from CD
Do a minimum install of RedHat 7.3 (see next few slides)
Installing RedHat 7.3
To simplify things, when I boot the CD I do a “text” install. You may prefer the “gui” installer.
Select Installation Language - “English”
Keyboard Selection - “us” Mouse – “select yours” Installation type – “custom”
Installing RedHat 7.3
Partition your disk. I like Disk Druid, but you can use fdisk. Use separate partitions for / /var /tmp /boot /home
Installing RedHat 7.3
Disk partitioning - Define them in this order /boot – about 64Mb Swap 128Mb or real memory size,
whichever is greater /var – about 128Mb /tmp – about 128Mb /home – the rest of the disk
Installing RedHat 7.3
Disk Partitioning – continued /boot and swap should be primary
partitions. The rest can be in an extended partition
Define all partitions as type ext3 and format them (except for the swap partition, of course)
Installing RedHat 7.3
Boot loader – you need one – I use grub. Install it in the Master Boot Record of
your primary drive You probably don’t need any boot
options You won’t have any other OSes to boot Or need a boot loader password
Installing RedHat 7.3
Ethernet adapters If you have a dhcp server on your
network eth0
[*] use bootp/dhcp [*] activate upon boot
eth1 [*] use bootp/dhcp [ ] activate upon boot
Installing RedHat 7.3
If you don’t have a dhcp server on your network eth0
[ ] use bootp/dhcp [*] activate upon boot
Fill in static information for address, netmask, etc.
eth1 [*] use bootp/dhcp [ ] activate upon boot
Network Configuration
In either case, do NOT enter gateway or nameserver information. Your system will pick this up via DHCP from your ISP.
Installing RedHat 7.3
Enter your hostname Configure the built in firewall
High security Customize to only allow ssh This is only temporary
Language support – American English (or whatever you want)
Select your time zone
Installing RedHat 7.3
Enter a good password for root Add at least one additional user so you
don’t have to always use root [*] Use shadow passwords [*] Enable MD5 passwords [ ] Enable NIS [ ] Enable LDAP [ ] Enable Kerberos
Installing RedHat 7.3
Package Group Selection [*] Printing Support [*] Network Support [*] Router/Firewall [*] Network Managed Workstation [*] Utilities
Installing RedHat 7.3
Start installation, providing additional CDROMs when prompted for.
Build a boot diskette when prompted. When done, remove all media and boot
your new linux system. Connect only one of your ethernet adapters to your local network and boot your new system
Initial setup
Boot your new system with your local network attached to one of the two ethernet cards. Watch the system startup messages for “eth0” to start correctly. Log on and try to ping another host on your local network. If it succeeds, mark that adapter as “eth0” If it fails, swap the cable to the other adapter, reboot, and try again.
Initial setup
Edit /etc/aliases and uncomment the last line of the file and fix the address to a valid address to receive mail sent to root Old
#root marc
New root [email protected]
Run the “newaliases” command
Initial setup
Edit the file /etc/hosts and fix it Before
127.0.0.1 pitbull localhost.localdomain localhost
After127.0.0.1 localhost.localdomain localhost192.168.1.121 pitbull pitbull.halshome.net
Or whatever your local address and hostname are
Initial setup
Turn off unused serviceschkconfig –list | grep on | more
Will show all of the services currently on, one per line.
This list looks like this:
Initial setup
keytable atd syslog gpm sendmail kudzu netfs
network random rawdevices apmd ipchains iptables crond
anacron lpd portmap xfs xinetd rhnsd autofs
nfslock isdn sshd ip6tables
Initial setup
For each of the services not desired:
chkconfig --level 123456 service off
Configure TCP Wrappers
/etc/hosts.deny## hosts.deny# This file describes the names of the hosts
which # are *not* allowed to use the local INET
services,# as decided by the '/usr/sbin/tcpd' server.#ALL: ALL
Configure TCP Wrappers
/etc/hosts.allow## hosts.allow#sshd: 192.168.1.
Configure network
Plug your internet connection into the unused ethernet adapter (eth1)
Edit the file:/etc/sysconfig/network-scripts/ifcfg-eth1
And change the lineONBOOT=no
ToONBOOT=yes
And Re-boot
Configure network
Use the commands ifconfig -a netstat –rn
To check the status of the network. It should look like this:
ifconfig eth0
eth0 Link encap:Ethernet HWaddr 48:54:E8:28:03:21
inet addr:192.168.1.122 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:172 errors:0 dropped:0 overruns:0 frame:0
TX packets:97 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:19664 (19.2 Kb) TX bytes:10409 (10.1 Kb)
Interrupt:11 Base address:0xd000
ifconfig eth1
eth1 Link encap:Ethernet HWaddr 48:54:E8:28:05:2F
inet addr:65.190.68.197 Bcast:65.190.68.199 Mask:255.255.255.252
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2849 (2.7 Kb) TX bytes:2335 (2.2 Kb)
Interrupt:11 Base address:0xcc00
ifconfig lo
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
65.190.68.196 0.0.0.0 255.255.255.252 U 40 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 65.190.68.198 0.0.0.0 UG 40 0 0 eth1
You’re online!
Your machine is now connected to the internet, but is not yet acting as a firewall for the network behind it.
First, let’s check that sendmail works
Initial setup
Test sendmailsendmail –v rootdatadata. Look for a line containing:
250 xxxxxxxx Message accepted for delivery
Check for delivery
Additional sendmail setup
Since we will NOT be running sendmail as a daemon, we need to make sure that mail which gets queued as undelivered will get retried.
We will create a file in the hourly cron directory to invoke sendmail to run the mail queues
Additional sendmail setup
cd /etc/cron.hourly
echo '#!/bin/bash' > sendmail
echo /usr/sbin/sendmail –q >> sendmail
chmod +x sendmail
Installing software
We have a few packages which were not installed with the distribution.
Let’s get them and install them. We’re now connected to the internet
so we can do this
Get AutoRPM
ftp ftp.kaybee.org Logon as anonymous cd /pub/redhat/RPMS/noarch bin prompt mget autorpm* quit
Install AutoRPM
rpm -ivh autorpm-2.9.3-1.noarch.rpm autorpm –v It should report version 2.9.3. By default, AutoRPM only tells you
about updates and doesn’t do anything about them.
We want to modify this behavior
Configure AutoRPM
Edit the file /etc/autorpm.d/autorpm.conf
Change line 12 to reflect the architecture of your machine (probably have to remove “i686”
Uncomment line 49 to allow automatic updating of the AutoRPM package to the latest “stable” release
Configure AutoRPM
Edit the file /etc/autorpm.d/redhat-updates.conf
Change line 28 from Install(Interactive); to Install(Auto);
Change line 33 from Auto_Follow_Deps(No); to Auto_Follow_Deps(Yes);
Run AutoRPM
Now run AutoRPM in order to update the software on your new system
autorpm --notty “auto” &
E-mail will be sent to root with the results.
Install Lynx
We need a web browser to download files, but don’t want the overhead of X-Windows
Install lynx
It’s on the RedHat CDROM, volume 3
mount -o ro /dev/cdrom /mnt/cdromcd /mnt/cdrom/RedHat/RPMSrpm -ivh lynx-2.8.4-18.i386.rpmcd /rootumount /dev/cdrom
Use lynx to download the iptables configuration file
lynx http://www.linuxguruz.org/iptables/ Use the down arrow key to scroll the page
down until you see the entry for “IPTABLES masquerading firewall”
Move the cursor to this line. The URL will be highlighted
Press the “d” key to download this file Use the default filename,
“rc.firewall_023.txt
Edit the rc.firewall file
Edit the file you just downloaded Add the following two lines near the
top of the file in the initial comments
# chkconfig: 2345 11 92# description: iptables packet filtering
firewall
Edit the rc.firewall file
Find the line “…location of the iptables…” Change IPTABLES="/usr/sbin/iptables" To IPTABLES="/sbin/iptables"
Find the line “---Begin Firewall---” Change DEFAULT_EXTIF="ppp0" To DEFAULT_EXTIF="eth1"
Edit the rc.firewall file
So we can run ntp, we have to open a hole in the firewall for the ntp port.
Find the string “DNS” in the file. It occurs twice
Both times, replicate the three lines starting with the “DNS” line
Both times, on the first replicated line, change “DNS” to “NTP”
On the second and third lines change “53” to “123” and remove the comment “#” character from column 1.
Now configure iptables
cd /etc/rc.d/init.d mv iptables iptables.orig mv ipchains ipchains.orig cp /root/rc.firewall_023.txt iptables chmod +x iptables chkconfig --del iptables chkconfig --add iptables
Start your new firewall
Reboot the system. Watch the system console for
rejections from the firewall. They will probably start almost immediately, and look something like this:
Firewall message
Aug 7 14:01:17 pitbull kernel: fp=SPECIALPORT:1 a=DROP IN=eth1 OUT= MAC=00:a0:d2:16:0f:e0:00:10:e8:0d:15:2c:08:00 SRC=67.251.1.229 DST=65.190.68.197 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=17663 DF PROTO=TCP SPT=4037 DPT=27374 WINDOW=2144 RES=0x00 SYN URGP=0
Firewall messages
The messages are logged to /var/log/messages
This particular message shows a probe to port 27374 (the backdoor installed by the SubSeven worm) from a computer with IP address 67.251.1.229. This address resolves to a Canadian uunet subscriber 1Cust229.tnt2.oxnard.ca.da.uu.net
Install ntp
We need to install the network time protocol program to synchronize the clock on our server to a master clock
It’s on the RedHat CDROM, volume 1mount -o ro /dev/cdrom /mnt/cdromcd /mnt/cdrom/RedHat/RPMSrpm -ivh ntp-4.1.1-1.i386.rpm \ libcap-1.10-8.i386.rpm
Configure ntp
Go to: http://www.eecis.udel.edu/~mills/ntp/clock2.htm
Select one or two servers close to you
Edit /etc/ntp.conf Make it look like this:
/etc/ntp.conf
Server server1.somewhere.edu
Server server2.somewhere.else.com
driftfile /etc/ntp/drift
Logfile /var/log/ntp.log
More ntp configuration
Edit the file /etc/ntp/step-tickers And put in the two servers you
selected, one per line with no other information
server1.somewhere.edu server2.somewhere.else.com
ntp
Start ntp with the command/etc/rc.d/init.d/ntpd start
You should see two messages:
ntpd: Synchronizing with time server: [ OK ]
Starting ntpd: [ OK ]
ntp
Check to see if ntp is running with the commandsntpdcpeersquit
Checking ntp
[root@pitbull root]# ntpdcntpdc> peers remote local st poll reach delay offset disp========================================================================dns2.uga.edu 192.168.1.122 2 64 1 0.05865 43190.870 7.93750=dns1.uga.edu 192.168.1.122 2 64 1 0.05772 43190.870 7.93750ntpdc> quit[root@pitbull root]#
A minor fix
Edit the file /etc/sysconfig/i18nChange the line
LANG="en_US.iso885915"
ToLANG="C"
This fixes a problem with the ls command sort order.
Other things you may fix
Edit /root/.bashrc Remove the annoying aliases for rm, cp,
and mv Add any aliases you may want. I like
alias l='ls –Fl‘
Reload with the command . .bashrc
Other things you may fix
Since you have working log scanner (logwatch) and a working log manager (logrotate) nothing needs to be done here.
I personally would replace logwatch with LogSentry from Psionic Technologies and tweak the logrotate configuration files to keep the firewall logs a bit longer, but then that’s just me…
Installing Tripwire
It’s already installed, running, and sending e-mail to root once a day demanding to be configured
Configuring Tripwire
/etc/tripwire/twinstall.sh Answer prompts Use good passphrases
tripwire --init tripwire –check
You WILL get lots of errors
Configuring Tripwire policy
Check output and edit twpol.txt, removing all 156 files reported as missing. This could be very tedious, so lets use a script…
cd /etc/tripwireCreate the file tw.a containing:/No such file/ {print "/" prev "/ s/^ /#/"}
/Filename:/ {prev = $2
gsub("/", "\\/", prev)}
Updating Tripwire Policy
tripwire --check > tw.reportawk -f tw.a tw.report > tw.sedsed -f tw.sed twpol.txt > twpol.newvi twpol.new
update the HOSTNAME variablecomment out the entries for
/root/var/log
Tripwire
mv twpol.txt twpol.txt.origmv twpol.new twpol.txttripwire --update-policy -Z low
twpol.txttripwire –checkrm tw.a tw.sed tw.report twpol.txt.orig
Tripwire
You will be mailed a report from tripwire every day. Check the report. It may show changes to files on your system. These changes may be due to the AutoRPM program automatically installing updates. If this is the case then you need to run tripwire in update mode. Here’s a script to make this easier
twupdate script
Put this script in /usr/local/bin Make it executable Run it when you need to update the
tripwire database
twupdate script
#!/bin/bash
if [ $USER = root ] ; then
dir='/var/lib/tripwire/report'
fn=$(ls -r $dir | head -1)
tripwire --update -a -r $dir/$fn
else
echo This command must run as root
fi
Finally, updating your kernel
Nothing here will automatically update the kernel of your linux system.
I believe that this is a good thing. I also believe you periodically do
need to put a new kernel in production to fix problems.
The RedHat report will tell you when.
Updating the kernel
Go to RedHat.com (or some other distribution site
Download the new kernel Install it with “rpm -ivh” so that it is
installed separately, and doesn’t replace your current kernel (which is what would happen if you install with “rpm -Uvh”
Getting the new kernel
ftp ftp.redhat.comLog on as anonymous
cd /pub/redhat/linux/updates/7.3/en/os/i586(or whatever your architecture is)
Download the “non-smp” kernelbinpromptmget kernel-2.4*quit
Installing the new kernel
rpm -ivh kernel-2.4.18-5.i586.rpm Reboot Make sure the new kernel is selected
on the “grub” menu. If it isn’t, then use the cursor keys to select it and press “enter”
Make sure everything works.
Installing the new kernel
Finally, if the grub boot loader comes up with your new kernel on the top line and the second entry is the default (highlighted): Edit /etc/grub.conf Change “default=1” To “default=0”
Session 6306Th-th-th-that’s all folks
Questions?