I decided a while ago that I wanted to try a next-gen firewall. So I recently acquired a small ARM-based PC with dual LAN interfaces, installed a disk in it and set to work getting Sophos Home UTM running.
An old friend and co-worker of mine once pointed out that we programmers and other IT types often find ourselves working at a tough problem or bug for hours or even days. Then we hit upon the solution. Now at this point, in the popular imagination, we erupt in celebratory exclamations along the lines of, “Eureka!” Any of us who have been through the process, however, know that what is vastly more likely is that we erupt in vicious, self-directed insults along the lines of “Idiot!”
I have had my share so far of “Idiot!” moments. Let me share them with you.
I got the software and tried several different utilities to make a bootable USB stick from the ISO. A Linux utility called “USB Image Writer” quickly proved itself nigh-on useless. Unetbootin works well for Windows or Ubuntu, not so much for anything else. I discovered that there is one of this scruffy class of programs that actually works well, including adjusting the varieties of the output USB stick formats to how the ISO it’s laying down is set up, and that is Rufus.
Now, with a USB stick in hand that would boot the installer and begin, I quickly encountered an error message during the formatting of the disk, “install.tar not found”. I probably could have resorted more quickly to the “just google the error message verbatim” strategy and saved myself a lot of time on this one, so that will count as my first “Idiot!” moment. It turns out that you have to work around the fact that the Sophos ISO is designed to lay down a CD image with links to files as well as files, and this is not well-replicated on the USB version. Also, for reasons not clear to me, the installer dismounts the install medium during the disk formatting process. So you need some redundancy that the Rufus utility will not create. I found this sequence of commands, which worked well:
Start the Installer, then
1. On the First Screen, hit Alt-F2. [gets a command prompt]
2. bash-3.2# mount /dev/sdb1 /mnt [mounting your install USB]
3. bash-3.2# cd /install
4. bash-3.2# mkdir install
5. bash-3.2# cd install
6. bash-3.2# cp -a /mnt/install/* .
7. bash-3.2# cd ..
8. bash-3.2# cp -a /mnt/* .
9. bash-3.2# cd /
10. Hit Alt-F1 [returns to main installer]
11. Finish the Installation, Reboot.
OK, now with this scriptlet, I can get the install to run to completion. Along the way it takes a default for its static IP, which occasioned my “Idiot!” moment #2, by just clicking past that. Oh, it also takes a default for the netmask, so my “Idiot!” moment #3 followed #2 pretty quickly. I hear you objecting that we can change these after install with ifconfig. It’s true, yes… but are you willing to assume that the installation of all that other firewall functionality did not record those bad defaults somewhere your after-the-fact change will not reach?
Let’s just say, I got good at that command sequence above.
Last but not least, after getting it working to the point of being able to put it on the bench and do as much pre-configuration work as possible prior to setting it inline and trying it out… I made the one mistake that should really have me considering a second career in pottery. I created a new admin account with a complex password that I recorded in my password manager… and then deleted the default admin account… and then discovered that the new admin password was mistranscribed and therefore useless. After a break, I get to practice that command sequence again.
And yet, I know how this movie ends. My persistence at these things is close to boundless, and I will have a functional installation at the end. And a newly deepened respect for sysadmin and netadmin types who do this for a living.