Running Linux and Netfilter on Nokia IP Series Hardware
April 24th, 2003 by Michael Rash in
Check Point Software Technologies has the largest market share of any firewall vendor with their Firewall-1 (FW-1) product, and Nokia manufactures several hardware appliances together with an operating system called IPSO to run FW-1. IPSO is based on FreeBSD, provides advanced routing and failover capabilities and is extremely stable, with uptimes regularly running in the multiple hundreds of days. Nokia and Check Point together provide as close to a de facto standard for enterprise firewalls as possible in a field with such a diversity of security vendors. Of course, all of this comes at a price; Check Point makes a lot of money on both licensing fees and support contracts for Firewall-1. Then, as time marches on, Check Point stops supporting older versions of FW-1. This by itself does not force companies to upgrade to newer versions of FW-1, at least not until a security vulnerability or other bug is discovered. Firewall-1 is not open-source software and, hence, cannot be patched without Check Point's (paid) assistance.
The purpose of this article is to illustrate a method for installing Red Hat Linux on a Nokia IP330 and, furthermore, to show that Netfilter can function properly in this hardware environment. The choice of Red Hat as the Linux distribution mostly is motivated by its relative ease of installation as compared to other distributions, such as Debian, Gentoo or Linux From Scratch. These others certainly work, and Gentoo was tested as such. This article merely serves as a proof of concept. It is assumed the reader has some familiarity with Linux system administration.
A base Nokia IP330 appliance manufactured in 1999 contains an AMD K6-II 266MHz processor with 64MB of RAM and an 8.0GB Quantum Fireball IDE hard drive. It is a 1U rackmountable machine with no CD-ROM or floppy drive, no keyboard or mouse ports, no graphics card, only one IDE port and one serial console port. The motherboard is custom built by Nokia with an Intel PCI bus, runs an Award BIOS and is labeled NOKIA IPRG IP300 SERIES. Three 10/100Mb Intel EtherExpress Pro Ethernet interfaces are built right onto the motherboard. Although the hardware spec of the IP330 indicates it is somewhat less endowed than is more modern hardware, it nonetheless is quite capable of handling the task it was designed to perform.
Hardware/Software Requirements:
1 Phillips head screwdriver
1 serial cable
1 Nokia IP330
1 standard desktop PC running Linux with an AMD K6-II (266 or 500MHz) processor, CD-ROM drive and an Ethernet interface
Red Hat 7.3 disks (only the first two installation disks are necessary)
Access to the Internet
Installation Outline:
Remove drive from Nokia IP330 and install in the desktop system.
Install RH 7.3 Linux on the desktop with only network support and the individual GCC, autoconf and ncurses packages.
Boot into the newly installed Linux distribution on the desktop.
Download the latest stable kernel (2.4.20 as of this writing).
Compile the kernel for AMD K6-II, serial support, no LKMs, ext2/ext3 filesystems, iptables, VM support, the Becker eepro100 driver and so on.
Configure /etc/lilo.conf.
Configure /etc/inittab.
Configure /etc/securetty.
Shutdown the desktop and reinstall the drive in the IP330.
Boot and configure an iptables policy.
Before we start the installation process, it is important to have the necessary hardware and software and to review the installation outline above. Begin with the Nokia IP330 and the desktop PC both in functioning states, with IPSO installed on the Nokia machine and Linux on the desktop.
At the end of this process, we aim to have a functioning Linux system on the original drive, which currently is in the IP330. Before we begin formatting any disks, however, it is important to boot into IPSO and record the MAC addresses of all three Ethernet interfaces using ifconfig. The reason this is necessary stems from the fact that the Intel EtherExpress cards are built onto the Nokia motherboard, and each of their EEPROMs apparently is not located at an address where either the standard Linux eepro100 driver or the Intel e100 driver expects to find it. The cards accept MAC addresses manually with ifconfig, however, and this allows us to simply transfer the MAC addresses as reported under IPSO to the cards directly when we have installed and booted into Linux. You may also want to record other information from the Nokia, such as IP addresses, ospf and vrrp configurations and so forth.
Now that all important information from the Nokia has been recorded, the next thing to do is crack open the case of the IP330. After removing all 17 screws (including the drive screws) to remove the top of the IP330 case, disconnect the drive IDE and power cables. Take the Nokia drive out of the IP330 and swap it in place of the Linux drive currently installed in the desktop PC. Boot off of Red Hat install CD #1. Although the graphics mode of Anaconda works perfectly well, the text mode seems a bit less cluttered, so pass the option text at the boot prompt. Use fdisk or disk druid to remove any existing IPSO UFS partitions, add a 128MB swap partition and three ext3 partitions: /boot (50MB), /etc (200MB) and / (remaining space). Once the new partition table is saved there is no going back; both IPSO and Check Point FW-1 are gone.
Next we must choose a boot loader. Both LILO and GRUB work on the IP330s, but LILO is less than one tenth the size of GRUB. Hence, LILO was chosen for this article as it is less complex. The BIOS on the Nokia machines is able to load the boot loader into RAM off the master boot record and jump to it as any normal BIOS would do, so instruct Anaconda to install LILO in the MBR. Several of the next configuration sections are routine, no special options need to the passed to the kernel at boot time: select an appropriate network configuration so the machine can be put on the network, select the default shadow/MD5 password scheme and so on. When it comes time to install the various packages, select only Network Support and then go into the Select Individual Packages section and add GCC, autoconf and ncurses.
After the package installation finishes, the last detail to take care of before starting the real work is the creation of the boot disk. Even though the Nokia IP330 has no floppy drive, it still is useful to create a boot disk, because the drive always can be moved to another machine if something goes wrong.
Now that we have Linux installed on the original Nokia disk, we can begin the process of customizing the installation to function on the Nokia hardware. The first step is to download and compile a custom kernel (see Resources). Boot into Linux on the desktop PC, login as root, gain network connectivity and download the latest stable kernel (2.4.20 as of this writing) from kernel.org. Extract the kernel tar archive and begin the compilation process with make menuconfig (possible because we installed the ncurses library) to configure the kernel build. It is important to ensure that only necessary portions of the kernel code are compiled into the resulting kernel binary. To this end, only the following features should be compiled in:
Processor type and features:
K6/K6-II/K6-III
General setup:
Networking support
PCI support
PCI device name database
System V IPC
Sysctl support
Kernel support for ELF binaries
ATA/IDE/MFM/RLL support:
Enhanced IDE disk support
CMD640 chipset bugfix/support
RZ1000 chipset bugfix/support
Include IDE/ATA-2 disk support
Use multi-mode by default
Generic PCI IDE chipset support
Sharing PCI IDE interrupts support
Generic PCI bus-master DMA support
Intel PIIXn chipsets support
PIIXn Tuning support
Networking options:
Packet socket
Network packet filtering (replaces ipchains)
UNIX domain sockets
TCP/IP networking
IP: Netfilter Configuration:
Connection tracking
IP tables support
Connection state match support
Connection tracking match support
Packet filtering
Full NAT
MASQUERADE target support
LOG target support
Network device support:
EtherExpressPro (eepro100, Becker driver)
Character devices:
Standard/generic serial support
Support for console on serial port
Filesystems:
Ext3 journaling filesystem support
Virtual memory filesystem support
/proc filesystem support
Second extended fs support
After compiling the kernel with the standard make dep && make clean && make bzImage, our shiny new kernel should be around 610KB in size. Copy it to the /boot partition, configure LILO to see the new kernel binary and run lilo -t && lilo to reinstall LILO in the MBR.
By default the LILO boot loader does not send any kernel boot messages, init messages or system log messages over the serial port. Initially when we reinstall the IP330 drive back in the IP330, the only method we have available to interact with the machine is through the serial port. To configure LILO to send messages over the serial port, add the following line just before the timeout=50 line:
serial=0,9600n8
This instructs LILO to send messages out of /dev/ttyS0, which corresponds to serial port 0, at a speed of 9600 baud with one stop bit and no parity bits (see Resources). Also, there is no need to have LILO display the fancy semi-graphical boot message, so remove the message=/boot/message line. Now that we have finished editing /etc/lilo.conf, it is time to rerun lilo -t && lilo once more.
Configuring LILO to send messages over the serial port would not be of much use if, after the machine boots and init has run, there is no way to login. Therefore, we require init to spawn a getty process on /dev/ttyS0. Getty processes are spawned from the init process based on the /etc/inittab configuration file. The default Red Hat inittab file instructs init to start getty processes on ttys 1 through 6:
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6
Because there is no way to attach a keyboard to a Nokia IP330, all of these should be replaced with the following single line:
1:2345:respawn:/sbin/agetty -h ttyS0 9600 vt102
agetty, in contrast to mingetty, does not reference any configuration files and simply takes all configuration input from the command line. mingetty also is not suitable for use on serial lines, according to its man page.
If the desktop PC has only one Ethernet interface, the Red Hat installer creates only one network config file for eth0, located at /etc/sysconfig/network-scripts/ifcfg-eth0. The Nokia has three network interfaces, however, so ifcfg-eth0 should be copied to ifcfg-eth1 and ifcfg-eth2 in the /etc/sysconfig/network-scripts directory. Each of these files needs to be edited to contain the correct interface names, IP addresses and MAC addresses. Interface eth0 under Linux corresponds to eth-s3 under IPSO, eth1 to eth-s4 and eth2 to eth-s5. To each of the ifcfg-eth[n] files add the line MACADDR=<MAC> where <MAC> is the original MAC address, as reported under IPSO before the Nokia disk was formatted. This mitigates the problem of the Ethernet driver not being able to read the MAC addresses directly out of the EEPROM chips.
If all has gone well up to this point, it now is time to shut down the desktop system and return the drive to the Nokia machine. Be sure to re-attach the top of the IP330 case to keep the CPU cool during intensive operations, such as a kernel compile. The four fans at the back of the machine are effective only when the case is sealed, and a good way to demonstrate this point is to try consecutive kernel compiles without the top attached. The CPU usually overheats and causes the machine to crash during the first compilation attempt. With the case properly secured, the number of consecutive kernel compiles has no affect on the stability of the machine, which is what one would expect.
Before booting the IP330, reinstall the desktop disk in the desktop PC and boot into Linux. Use the serial cable to connect the two serial ports on the two systems and run minicom. Recall the serial port settings we specified in /etc/lilo.conf, and configure minicom to match.
Now we are ready to boot Linux on the IP330. After the memory test is finished (which can be interrupted by pressing the ESC key twice) the familiar LILO boot prompt should be displayed and then the kernel boot sequence happily flows past. After the sequence is finished, init gets a chance to run and eventually a login prompt is displayed (see Resources).
Even though we are successfully running Linux on the IP330 at this point, it still is a good idea to recompile the kernel from scratch in order to put the operating system through its paces. This helps to ensure Linux is indeed stable on a hardware platform not specifically designed to run Linux. Besides, an added bonus is the 256MHz processor probably allows enough time to grab a quick sandwich during the recompilation process.
With the Nokia up and running, connect it to the network and test by pinging another host on the same network; use your default gateway or the Linux desktop machine, if necessary. Then execute the command:
iptables -A INPUT -p icmp -i eth0 -j LOG
Ping the host again, and this time iptables log messages should show up in the /var/log/messages system log when the icmp echo reply packets reach the firewall.
To test the filtering ability of iptables, execute the following command and then try to ping the host again:
iptables -A INPUT -p icmp -i eth0 -j DROP
The reply packets now should be logged and dropped, so the ping does not succeed. We have established that iptables can both log and filter traffic, but we have one more test to run:
iptables -I INPUT 1 -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Execute the ping once more, and it should work once again even though both the log and drop rules still are in effect. This illustrates the stateful capability of iptables, in which packets associated with legitimate network traffic are let through and no log messages are generated (see Resources).
Depending on the specific application of the IP330 in your network, you may require software additional to what is listed here. But, at a minimum you probably want to download and compile the latest versions of the OpenSSL libraries, OpenSSH and the iptables user space code. If you require the Nokia to become part of an OSPF area, install the Zebra routing dæmon. If you require the Nokia to failover to another machine, install Keepalived and configure it to run VRRP. The VRRP implementation of Keepalived is particularly good. It is extremely easy to put one or all three interfaces on the Nokia into a "sync group" that failovers all interfaces if the link on any particular interface is lost. If you require the Nokia to form an endpoint for an IPSEC VPN, install FreeSWAN (see Mick Bauer's Paranoid Penguin columns from the January and February 2003 issues of LJ for an excellent exposition on FreeSWAN). One of the biggest advantages to running Check Point Firewall-1 is the GUI interface, which makes it easy to configure a firewall policy. Firewall Builder provides similar functionality for iptables, and Mick Bauer covers it in the May issue of Linux Journal.
For information regarding compiling the Linux kernel, see the Kernel HOWTO
Some iptables options, such as limit match and MAC address support, may or may not need to be compiled in, depending on the needs for your particular network configuration.
For more information on serial support in Linux boot loaders, see www.tldp.org/HOWTO/Remote-Serial-Console-HOWTO
Although hardening the Linux installation is beyond the scope of this article, it is important to turn off all unnecessary services. To fully harden the Linux installation install Bastille Linux.
More information on the configuration and administration of iptables can be found in the various Netfilter HOWTOs
Michael Rash works as a senior security engineer for an ASP in Annapolis, Maryland. He holds a Master's in Applied Mathematics from the University of Maryland and has been tinkering with Linux since 1998. In his free time, he enjoys playing the violin for the Prince George's Philharmonic Orchestra.
Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Post to TwitterSubscribe now!
The Latest
Newsletter
Tech Tip Videos
Recently Popular
From the Magazine
December 2009, #188
If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.
I am searching for a nice
On November 3rd, 2009 nokia 5310 (not verified) says:
I am searching for a nice ?Linux platform for my latest gadgets thanks a lot for providing the script thanks for the post regards : nokia 5310
Hi im trying to configure a
On December 6th, 2006 Chris (not verified) says:
Hi im trying to configure a Nokia IP330 now, but i could not find the NAT option. Can anyone guide me on how does NAT works on nokia? Thanks alot, look forward to your replies.
IP130 and hard drive 40GB
On April 15th, 2006 michal (not verified) says:
Hello,
does anybody run IP130 with HDD larger than 30GB? I have bouhgt HDD 40GB and it doesn't boot. I have tried with borrowed HDD30GB and everything was OK.
Do you have any suggestions?
IP 130 and hard drive 40GB
On March 15th, 2007 Anonymous (not verified) says:
Hi there,
This may not be the correct answer, but when I spoke to Nokia tech support today about the hard disk size limitation on my IP530, this is what he responded:
===================================================================
The Ip530 can either support up to a 32gig HD or a 40 gig HD.
Any customer with an IP530 serial numbers prior to 9N0229XXXXX) that requests replacement or secondary drives should be supplied with FRUNIY0503FRU (32GB). Customers with IP530 serial numbers after 9N0229XXXXX should be supplied FRU NIY0502FRU (40GB).
You can view and update your case by logging onto the Nokia Support Web at https://support.nokia.com or by replying to this email. Please do not edit the subject or reply-to fields of your email response.
Thank you,
Nokia Technical Support
====================================================================
You may want to go to http://support.nokia.com and open a trouble ticket over there to get a correct answer.
Good luck!
IP130 and hard drive 40GB
On September 24th, 2006 Anonymous (not verified) says:
Hi!
Have you solved the hard drive issues?
cus I have same problem :(
Another way using VMware and other bits of info.
On February 13th, 2006 David W Studeman (not verified) says:
I have managed to use VMWare to create a fixed image the same size of the drive I use and use winimage to copy the vmware image. I'm using IPCop but have Endian Firewall on one of my IP330's as well. I use a usb to ide converter for the actual drive slaving for direct imaging when done making the vmware image. I like the usb bridge because it's quick and when I plug it into my SuSE box, the three ext3 partitions automount in /media and I can then edit the necessary files for making it work in the Nokia. The reason I don't just install IPCop directly to the physical drive is because VMware sees usb driven drives as scsi. Obviously once the drive is in the nokia hooked up normally, drive sd will not make sense as it will look for hd since it really is an ide. I did have to change the extension of the .vmdk image to .vhd so winimage would see it. Anyway you look at it, a flat image the exact size of the hard drive is just a hard drive image, you must configure vmware to make it act as an ide so you actually get a proper ide hd image. The variable image size which is default would likely create all sorts of errors. Another way with Vmware is to actually slave the nokia drive into an ide ribbon, boot back up, install whatever you plan to run on the Nokia in VMware using that physical drive and yes it will warn you about this. The USB ide adapter and using Winimage is the easiest way if you have the adapter since there is no shutting down the host machine and opening it.
I keep seeing people say that the Nokia IP330 uses a K6-2 266. I own two and they are both 400mhz and the 256 you see in the bios is actually how much L2 cache it has as the actual speed is not echoed out with this rather terse bios. My IP330's are both IP2331's which is the platform model. I notice some say that their IP330's are actually IP2330's which is the same platform as the P050 which cost next to nothing on ebay these days. BTW, of my two IP2331's, one motherboard is Rev A and the other is Rev B. Technically, it is the OS that determines if it is an IP330 or whatever. I do think the firewall/router distros such as IPCop, Smoothwall, Endian (based on IPCop but more tweakable), Monowall and PFsense (almost there) will be ideal for this hardware. With any of these running on this platform, at least the 400mhz versions, the firewalled throughput is around 80 to 90mbs. VPN would drop that down but your average firewall/router you buy for a couple hundred at the computer store would throughput much less. Don't be fooled by the 10/100 port as this is just line speed and does not indicate what the device can really pass through it. If people only knew how choked some of them (book size with wall wart power supply) really are, they would be appalled.
Optional hardware: The front is a 3U 32 bit cPCI (Compact PCI) bay and the os sees this the same as any other 32 bit pci bus, the exception is that it is hotpluggable and all recent Linux kernels support this. The one in the rear is a 32 bit PMC bay, also a 32 bit PCI bus but you have to take the unit apart to place a PMC module in there so that would be one you would want to use for something that you are not likely to change. Adapters DO exist to use standard pci devices in either PMC or cPCI bays but you cannot put a pci card on a cPCI adapter and hotplug it but at least you can use regular pci hardware.
Why do this at all? Because we can and the hardware can be had cheap now. Never mind whether we should or not, what fun is that?
IPcop on Nokia IP330 boxs
On June 6th, 2007 Dave Finley (not verified) says:
How about a tutorial on installing IPcop on one of these critters?
Hints and questions for endian firewall and nokia IP130
On March 28th, 2006 Hahtokari Mika (not verified) says:
Hi,
I have played around with Nokia IP130 and Endian firewall distro. I managed to make hardware to boot with endian and was able to connect with serial terminal to it.
Mine method was install Endian on a intel 400mhz laptop with intel NIC. I disabled USB and PCMCIA detection during setup. After installation and few tweaks for a serial and grub i switched HD to mine nokia ip130.
Mine problem recards with ethernet not showing up. e100 Driver wont load due the checksum error. Any hints how to proceed?
I do have also a problem that terminal connection is not reliable ... it acts funny quite often. What i should double check?
Another tweak i needed to do was related to grub. I needed to disable showing of that fancy bootscreen during endian boot up.
Slurp image
On March 11th, 2005 Anonymous (not verified) says:
Has anyone had the presence of mind to do a
Ghost4Unix type operation on their successfully
built box? If so, can someone post a link for it?
Help! receiving just AT after installing linux
On March 11th, 2005 Ste (not verified) says:
I have a Nokia IP330 unused, so I decided to transform it in a Linux server to use it for some services. That's simple.
I installed slackware (putting the hd in another pc) succesfully once, then I decided to reinstall it, because some things were not working properly, but now I just receive AT on serial line.
I repeated the whole procedure many times, but I not able to get it working.
Has anybody an idea about this problem?
Ste
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On May 4th, 2004 Anonymous says:
I have a Nokia IP 330 (K62-400/256MB) working with Gentoo 2004.1 on kernel 2.6.5-mm6. Make sure you install distcc :)
I had to make two changes to e100.c in /usr/src/linux/drivers/net/ to handle the bad eeprom errors:
- if(checksum != nic->eeprom[nic->eeprom_wc - 1]) {
+ /*if(checksum != nic->eeprom[nic->eeprom_wc - 1]) { */
+ if (0)
and
- if(!is_valid_ether_addr(netdev->dev_addr)) {
+ /*if(!is_valid_ether_addr(netdev->dev_addr)) { */
+ if (0) {
Dan
Re: Booting Linux and Netfilter on Nokia IP Series Hardware
On May 4th, 2004 Anonymous says:
I should note that when I first looked at the machine, it wouldn't boot (nothing on the screen over the serial consold).
First thing I did was remove the CMOS battery for 10 mins and then retried. I was then greeted by the Award BIOS screen as expected.
I also ran the gentoo install (all the way from stage 1) on a P3-800 with 512MB ram to speed things up. Remember to use the k6-2 flags in make.conf.
Dan
Boot Problems
On May 4th, 2004 Anonymous says:
I should note that when I first looked at the machine, it wouldn't boot (nothing on the screen over the serial consold).
First thing I did was remove the CMOS battery for 10 mins and then retried. I was then greeted by the Award BIOS screen as expected.
I also ran the gentoo install (all the way from stage 1) on a P3-800 with 512MB ram to speed things up. Remember to use the k6-2 flags in make.conf.
Dan
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On December 24th, 2003 Anonymous says:
Excellent article. I too have a spare IP330 laying around that I would like to put Linux on. I have tried debian, gentoo, FreeBSD and OpenBSD but I cannot get the OS to boot. I don't have a standard serial cable to use, but I do have the Nokia supplied cable.
Any suggestions?
joe_stevensen(at)yahoo.com
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On May 27th, 2004 Anonymous says:
I use a null modem serial cable (buy it at RadioShack) and works perfect (I give nokia support with this using my linux laptop)
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On February 6th, 2004 Anonymous says:
You don't need a "Nokia" supplied cable. All you need is a DB9 female/female null modem serial cable. These can be picked up for approximately $2.50 at most online vendors (try www.sfcable.com as one source).
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On January 30th, 2004 Anonymous says:
Got debian with LILO working.
Problems getting the NICs to work with kernel 2.4.20
On July 26th, 2003 Anonymous says:
I'm using Red Hat Linux 9 with kernel version 2.4.20.
With Donald Becker's eepro100 driver, all three interfaces come up, but the MAC address for all three is set to FF:FF:FF:FF:FF:FF, the driver reports an invalid EEPROM checksum, and I cannot set the proper MAC addresses with ifconfig (as your instructions specify). I've posted a more complete description of everything I tried to comp.os.linux.hardware.
Does anyone have any suggestions?
Kind regards,Matthew Economou (meconomou at cchmc.org)
Re: Problems getting the NICs to work with kernel 2.4.20
On July 27th, 2003 mrash (not verified) says:
Hi Matthew -
It sounds like you have tried everything to get the Becker driver
to work (eepro100-diag, etc.). For the Becker driver I don't really
have any additional suggestions. However, in my testing I was also able to get the Intel e100 driver to work after disabling the
checksum verification code directly within the driver (I also got
the "corrupted EEPROM" message). Here is a trivial patch that
disables the checksum verification (unfortunately I don't have the
version number of the driver code that matches this patch since I
did the work for the article several months ago). However, it should be easy to get the patch to work against other versions of the e100 driver.
[root@fwtest2 src]# diff -u e100_main.c.orig e100_main.c
--- e100_main.c.orig Tue Dec 10 20:01:05 2002
+++ e100_main.c Tue Dec 10 14:54:31 2002
@@ -704,7 +704,8 @@
/* Check if checksum is valid */
cal_checksum = e100_eeprom_calculate_chksum(bdp);
read_checksum = e100_eeprom_read(bdp, (bdp->eeprom_size - 1));
- if (cal_checksum != read_checksum) {
+/* if (cal_checksum != read_checksum) { */
+ if (0) {
printk(KERN_ERR "e100: Corrupted EERPROM on instance #%d
",
e100nics);
rc = -ENODEV;
BTW, thanks for reading the article. Let me know how it turns
out or if you have other questions please don't hesistate to send
me email. (I tried responding your meconomou@cchmc.org address but encountered a mail loop.)
--Mike
RE: Problems getting the NICs to work with kernel 2.4.20
On May 1st, 2006 cyril (not verified) says:
Hi,
I have an IP350 and I need to run a Linux 2.6 on it.
I did the e100 module modification.
The module is loaded and I can see the link status up when I connect the cable.
I set the MAC and the IP address with ifconfig.
Then I can see paquet going out off the IP350, but it seems that the module does not see the incomming traffic. I did a tcpdump in promiscus mode and i can't see anything.
On the remote PC, I can see the ARP-who-has sent by the IP350 and the response.
I tried the eepro100 module, but whit it, the link status is not handled.
Is anyone have a way to solve?
IP350
On October 29th, 2006 David W Studeman (not verified) says:
I have a few recently acquired ip350 units and I did get it to boot up on IPCop 1.4.11. I got the eepro100 module to load and also was able to assign the mac addresses I saved from the ipso 3.7 install. Only trouble is it would neither receive nor send packets. I downloaded various iterations of the e100 driver since I have a developer version of IPCop running in VMWare and in one instance, I could receive packets but not send. That's the closest I got so far. BTW, the Intel chips are i82559er. I wish we could get more documentation on the hardware itself since Nokia is discontinuing the IP350 and IP380 near the end of November. The pcmcia controller is a Ti 1225 which behaves as it does in many laptops, it does not have an irq set by the bios. The yenta driver in the 2.4 kernel is next to impossible to route irq's with since it does not do well with options. In the 2.6.10 and newer kernels, it should work much differently. Some actually compile the kernel without the yenta driver in 2.4, this supposedly forces the driver in the pcmcia_cs to be compiled instead. This makes the IP330 look so easy. I do like the slide out board of these though, it takes only seconds for me to open it, pop the drive off the board and plug it into a usb to ide bridge with a 2.5" drive adapter on my linux box and I can edit files and change driver modules easily enough. The saddest part about the i82559er chips is that they are better supported in BSD than in Linux. Intel doesn't even list the driver for Linux on this chip but the newer compatible cousin, the i82551er chip does have a Linux driver listed. That said, the idea of finding a quad gigabit pmc adapter looks attractive.
IP350 and Linux
On November 12th, 2006 cyril (not verified) says:
OK, thanks.
Si if I understand:
- the 4 internel NICs are not usable
- the PCMCIA is not efficient du to an IRQ issue but is working
is that right?
I found a ETRHERNET pcmicia card to test, il will do so and send the results ASAP.
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On May 1st, 2003 mrash (not verified) says:
I should have probably been more clear in the article about my motivation for getting Linux to run on the Nokia:
1. My current employer has purchased over 400 of these devices and so buying support to upgrade to newer versions of IPSO costs a _lot_ of money.
2. Upgrading IPSO is not something that can be brushed aside, especially if a vulnerability is found in a part of the OS that _forces_ you to upgrade. This actually happened to us.
3. I did not claim the Nokia was a particularly nice piece of hardware (see the "Hardware Specifications" paragraph). Of course one could go out and buy any modern 1U machine and it will certainly out perform a four-year-old Nokia IP 330 and cost many times less. However, if you are an organization (like mine) that already has the hardware lying around and would like to make use of it, why not put Linux on it?
Thanks for reading.
--Mike
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On April 30th, 2003 Anonymous says:
What a tremendous waste of time to even do this. First of all the only value that Nokia's IPSO even provides in the first place, is that it is a harden OS that is compiled to match prefectly to the Nokia hardware. Nokia platforms are running by today standards, very slow processors, you could pick up a Intel server on eBay for a 1/4 of the price of a Nokia. The only thing that could be a bigger waste of time, would be running your corporate firewalls on converted X-Boxes... Get a life people, spend some money on a real firewall... If your data is worth so little, buy a Netscreen
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On April 30th, 2003 Anonymous says:
I think you're missing the point. If you happen to own one of these beasties already, this provides an alternative to shelling out big bucks to checkpoint for upgrades
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On April 30th, 2003 Anonymous says:
This is just about the most pointless thing you can do with a Nokia box. If you want to run a firewall on linux, just buy a well built intel box and stick quad nics and gig ports into it. Don't spend several thousand over the odds for a pc from Nokia
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On April 30th, 2003 Anonymous says:
I agree. If you're going to "roll your own," why buy a Nokia? For the same price (or less) you can get a much faster off-the-shelf type box.
Re: Running Linux and Netfilter on Nokia IP Series Hardware
On April 30th, 2003 Anonymous says:
I suppose that the point is to run it on the old IP330 which came with AMD K6-2/266 and 64M RAM, but even in this case it is pointless, because IPSO is far more better than Linux (except filtering itself which is not stateful).
IPSO supports both IGP and EGP routing protocols, has a simple traffic shaper, fault management, You can run mrtg and squid, build proxies using netcat, use ntp for time sync and a lot of other things. I can't imagine running RedHat or any other Linux (maybe IpCop, but I am not sure) instead robust high quality security focused and more stable operating environment.
Yes, but have you compared th
On May 14th, 2005 Anonymous (not verified) says:
Yes, but have you compared the prices of FW-1 and Red Hat Linux?
Old news & There's a better way
On April 29th, 2003 Anonymous says:
1. This is very old news. We have been doing that for atleast a couple of years now.
2. There's a much easier way of installing Linux on the IP330.
All you have to have is an IDE CD-ROM, a dual connector power cable, a dual connector IDE cable, the original console cables that came with the IP330.
- open up the IP330
- connect the IDE CD-ROM to the IP330 using the dual connector power cable and IDE cable (obviously connect the HD as well)
- connect to the IP330 using the "nokia" console cable with your favorite term program (minicom or securCRT type)
- When you use the original console cable, you will be able to get to the BIOS, change the boot order to boot from the CD
Then you have a fully bootable CD-ROM, you can install whatever the heck you want. I have installed FreeBSD and Linux without any problems. Might try Solaris x86 if I can get a copy sometimes.
Obviously, this will destroy your IPSO partitions (there's usually two, one for the boot mgr and one for IPSO). If you want to be able to revert, dd the partitions somewhere so you can dd back.
Be sure to arp -s your interfaces like the article has described.
Any problems with the CDROM i
On November 24th, 2004 John (not verified) says:
Any problems with the CDROM in the IP330? Mine doesn't have an option under the HDD for CDROM, I have set it to auto. Boot sequence is setup to CDROM,C,A but doesn't seem to want to boot. I know the CDROM is good and the CD is bootable.
-john
Re: Old news & There's a better way
On June 8th, 2003 Anonymous says:
I purchased a second hand IP330 and unfortunately the IPSO image was destroyed through an upgrade. - All I get now from a console connection is a flashing cursor with "AT" displayed on the screen.
I want to install linux on the machine but I don't have the original Nokia console cable - thus can't see the BIOS to change the boot order. - Nore do I have the experience of fiddling with Kernels etc.
I have tried the dd command on another Linux box, but I'm a newbie and couldn't even get the second hard drive to mount!!!
Someone told me the ISPO files system is encrypted?
Anyhow,does anyone know of a tech support company in the UK that would be prepared to help for a low cost charge?
Thanks,
John - Email address provided below...
hin6schx02@sneakemail.com
Re: Old news & There's a better way
On May 27th, 2003 Anonymous says:
Looking for details on how to access and configure ip330 bios. I dont have the original serial cable. Any details would be appreciated?
Re: Old news & There's a better way
On February 6th, 2004 Anonymous says:
The Nokia "bios" is actually from Award. Go buy a standard DB9 female/female null modem cable from an electronics store -- usually < $10.00.
Re: Old news & There's a better way
On May 1st, 2003 Anonymous says:
I've tried your suggestion with RedHat 6.2, 7.3 and 8.0
It boots off the CD and gets to the first menu.
when I choose the text install, it blanks the screen and hangs for a while.
After a bit it comes back with the following.
Re: Old news & There's a better way
On December 15th, 2003 Anonymous says:
In case you're still wondering what to do about this problem, here is the answer:
This is an install via terminal, so when the installer comes up don't use text install but put this line in "linux console=ttyS0,9600" this will then show you the rest of the install.
Cheers,
Tristan Delsol
Add a GUI for iptables configuration
On April 29th, 2003 Anonymous says:
If you miss the GUI configuration console from Firewall-1 on your new open source filrewall, check out Firewall Builder (http://www.fwbuilder.org/).
I cannot get into the bios
On December 12th, 2005 Anonymous (not verified) says:
I cannot get into the bios of my ip330, is there a keypress that is necessary?
Escape will terminate memory
On December 13th, 2005 Anonymous (not verified) says:
Escape will terminate memory countdown, tab will enter the bios. Be sure to use a 'correct' null modem DB9 F/F cable.
Actually, hitting tab will
On February 13th, 2006 David W Studeman (not verified) says:
Actually, hitting tab will stop the memory countdown like esc will but then shortly thereafter go into the bios.
Post new comment