********************************************************************************
*                                                                              *
*           S(imple)  S(ecurirty) P(olicy) E(ditor)                            *
*                                                                              *
* (C)opyright 2002 - 2005 by Johannes Hubertz, Cologne, Germany                *
*                            jhselber at users . sourceforge . net             *
*                                                                              *
*                                                                              *
*    Special thanks to those who had the patience for the debugging.           *
*                                                                              *
*    This file is part of SSPE.                                                *
*                                                                              *
*    SSPE is free software; you can redistribute it and/or modify              *
*    it under the terms of the GNU General Public License as published by      *
*    the Free Software Foundation; either version 2 of the License, or         *
*    (at your option) any later version.                                       *
*                                                                              *
*    SSPE is distributed in the hope that it will be useful,                   *
*    but WITHOUT ANY WARRANTY; without even the implied warranty of            *
*    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             *
*    GNU General Public License for more details.                              *
*                                                                              *
*    You should have received a copy of the GNU General Public License         *
*    along with SSPE; if not, write to the Free Software                       *
*    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA *
*                                                                              *
********************************************************************************

These are INSTALLation _hints_, nothing more or less.

This file contains my installation hints for you. Please always keep in mind, 
installation is only a small part of work with sspe, as it is usually 
needed for the firewalladmins daily job.

Create a normal user on your admin-machine first, there untar the archive.
create him a directory, 'adm' for example.

Frontend is 'adm' in bin directory, to call it, an alias is useful.
Don't assume, you can do everything out of it. Most things in daily life 
are better done via simple commandline, f.e. by calling 'vi'.
Shell-var ADMROOT should be set and exported in .profile or .bash_profile,
else you need to replace every occurance in all scripts by absolute path.
Copy or move config to .config perhaps after useful changing of some vars.

Every target machine needs to have at least two executables for its root-user:
	/root/bin/coll
	/root/bin/rn
see ${ADMROOT}/software for hopefully more useful scripts. 

The existance of a /boot directory is neccessary for them to do their job. 
Have the kindness to inspect the scripts to get an idea of their use.

Sorry, I only had Debian and RedHat flavour of Linux. 
Others should work as well, little fine-tuning should fit the needs.

Prior to applying rules on a target, you need to have its parameters and 
routing-table for compilation of the rules. They are used to calculate, 
if a rule needs to be translated into iptables-command or not. In the 
main-menu of adm, the command 'prepare distribution' can do sampling of 
all the routing-tables of all the machines.  But you can call 

	${ADMROOT}/bin/get_routing_tables target-name

manually from shell as well. Before you should have run /root/bin/coll 
at least once on the target.

Special interest you should have on each the following items:
1.) Every target-machine and its ip need to be in hostnet.
2.) Your admin-workstation needs to be in hostnet as well.
3.) A ssh-session from your admin to every target must be allowed 
	by the rules, of course. My intention was to group exactly 
	these in rules.admin and never again to touch them again. ;-)
4.) Before applying, make sure you can ssh into the target without beeing
	asked for a password or passphrase. ssh must be possible to
	establish a session automatically. (ssh-1 or ssh-2 is yours)
5.) Of course, ip-routing to the targets must work.
6.) If you ever change something about ip-routing, remember to recall
	get_routing_tables! If you change something in IPSec config,
	ip-routing usually is affected as well!
7.) if you like to use IPSec-features, they are intended to produce
	a fully meshed net of IPSec-tunnels. If you like something different,
	please see my documentation in the pdf, old but still valuable.
	Try to find 'ipsec-supervisor' in two flavours there.

If you suspect iptable-commands not beeing generated correctly, please
try to run 
	${ADMROOT}/bin/mach target number
It will put some text to stdout with debugging information, which you 
normally will find in desc/target/commented-rules. Increasing the number 
will increase produced lines. Perhaps that helps.

Reading of rules.* is always done in targets directory desc/target. Naming
of rules.* is fixed in ${ADMROOT}/bin/mach and may be changed there.
Reading of hostnet is tried in ${ADMROOT}/desc/target and, if not found 
there, in ${ADMROOT}/etc. 'privates' and 'nathosts' as well. By making use 
of this, you are extremly flexible by using symbolic links in your 
installation. If you like, you could even administer two or more companies 
independantly from each other out of one single sspe-installation.

For the usable options in every rule, please refer to bin/rules.pl, there
you directly can see whats going on.

Of course, sspe is not intended to teach you firewalling or IPSec. So I 
assume you are familiar with these and you know what you do. Of course!

Only if _everything_ is configured well, things might work as you wish.

Have fun!

Johannes Hubertz