Running Linux and Netfilter on Nokia IP Series Hardware
Check Point Software Technologies has the largest market share of any firewall vendor with their Firewall-1 (FW-1) product, and Nokia manufactures several hardware appliances together with an operating system called IPSO to run FW-1. IPSO is based on FreeBSD, provides advanced routing and failover capabilities and is extremely stable, with uptimes regularly running in the multiple hundreds of days. Nokia and Check Point together provide as close to a de facto standard for enterprise firewalls as possible in a field with such a diversity of security vendors. Of course, all of this comes at a price; Check Point makes a lot of money on both licensing fees and support contracts for Firewall-1. Then, as time marches on, Check Point stops supporting older versions of FW-1. This by itself does not force companies to upgrade to newer versions of FW-1, at least not until a security vulnerability or other bug is discovered. Firewall-1 is not open-source software and, hence, cannot be patched without Check Point's (paid) assistance.
The purpose of this article is to illustrate a method for installing Red Hat Linux on a Nokia IP330 and, furthermore, to show that Netfilter can function properly in this hardware environment. The choice of Red Hat as the Linux distribution mostly is motivated by its relative ease of installation as compared to other distributions, such as Debian, Gentoo or Linux From Scratch. These others certainly work, and Gentoo was tested as such. This article merely serves as a proof of concept. It is assumed the reader has some familiarity with Linux system administration.
A base Nokia IP330 appliance manufactured in 1999 contains an AMD K6-II 266MHz processor with 64MB of RAM and an 8.0GB Quantum Fireball IDE hard drive. It is a 1U rackmountable machine with no CD-ROM or floppy drive, no keyboard or mouse ports, no graphics card, only one IDE port and one serial console port. The motherboard is custom built by Nokia with an Intel PCI bus, runs an Award BIOS and is labeled NOKIA IPRG IP300 SERIES. Three 10/100Mb Intel EtherExpress Pro Ethernet interfaces are built right onto the motherboard. Although the hardware spec of the IP330 indicates it is somewhat less endowed than is more modern hardware, it nonetheless is quite capable of handling the task it was designed to perform.
1 Phillips head screwdriver
1 serial cable
1 Nokia IP330
1 standard desktop PC running Linux with an AMD K6-II (266 or 500MHz) processor, CD-ROM drive and an Ethernet interface
Red Hat 7.3 disks (only the first two installation disks are necessary)
Access to the Internet
Remove drive from Nokia IP330 and install in the desktop system.
Install RH 7.3 Linux on the desktop with only network support and the individual GCC, autoconf and ncurses packages.
Boot into the newly installed Linux distribution on the desktop.
Download the latest stable kernel (2.4.20 as of this writing).
Compile the kernel for AMD K6-II, serial support, no LKMs, ext2/ext3 filesystems, iptables, VM support, the Becker eepro100 driver and so on.
Shutdown the desktop and reinstall the drive in the IP330.
Boot and configure an iptables policy.
Before we start the installation process, it is important to have the necessary hardware and software and to review the installation outline above. Begin with the Nokia IP330 and the desktop PC both in functioning states, with IPSO installed on the Nokia machine and Linux on the desktop.
At the end of this process, we aim to have a functioning Linux system on the original drive, which currently is in the IP330. Before we begin formatting any disks, however, it is important to boot into IPSO and record the MAC addresses of all three Ethernet interfaces using ifconfig. The reason this is necessary stems from the fact that the Intel EtherExpress cards are built onto the Nokia motherboard, and each of their EEPROMs apparently is not located at an address where either the standard Linux eepro100 driver or the Intel e100 driver expects to find it. The cards accept MAC addresses manually with ifconfig, however, and this allows us to simply transfer the MAC addresses as reported under IPSO to the cards directly when we have installed and booted into Linux. You may also want to record other information from the Nokia, such as IP addresses, ospf and vrrp configurations and so forth.
Now that all important information from the Nokia has been recorded, the next thing to do is crack open the case of the IP330. After removing all 17 screws (including the drive screws) to remove the top of the IP330 case, disconnect the drive IDE and power cables. Take the Nokia drive out of the IP330 and swap it in place of the Linux drive currently installed in the desktop PC. Boot off of Red Hat install CD #1. Although the graphics mode of Anaconda works perfectly well, the text mode seems a bit less cluttered, so pass the option text at the boot prompt. Use fdisk or disk druid to remove any existing IPSO UFS partitions, add a 128MB swap partition and three ext3 partitions: /boot (50MB), /etc (200MB) and / (remaining space). Once the new partition table is saved there is no going back; both IPSO and Check Point FW-1 are gone.
Next we must choose a boot loader. Both LILO and GRUB work on the IP330s, but LILO is less than one tenth the size of GRUB. Hence, LILO was chosen for this article as it is less complex. The BIOS on the Nokia machines is able to load the boot loader into RAM off the master boot record and jump to it as any normal BIOS would do, so instruct Anaconda to install LILO in the MBR. Several of the next configuration sections are routine, no special options need to the passed to the kernel at boot time: select an appropriate network configuration so the machine can be put on the network, select the default shadow/MD5 password scheme and so on. When it comes time to install the various packages, select only Network Support and then go into the Select Individual Packages section and add GCC, autoconf and ncurses.
After the package installation finishes, the last detail to take care of before starting the real work is the creation of the boot disk. Even though the Nokia IP330 has no floppy drive, it still is useful to create a boot disk, because the drive always can be moved to another machine if something goes wrong.
|Where's That Pesky Hidden Word?||Aug 28, 2015|
|A Project to Guarantee Better Security for Open-Source Projects||Aug 27, 2015|
|Concerning Containers' Connections: on Docker Networking||Aug 26, 2015|
|My Network Go-Bag||Aug 24, 2015|
|Doing Astronomy with Python||Aug 19, 2015|
|Build a “Virtual SuperComputer” with Process Virtualization||Aug 18, 2015|
- A Project to Guarantee Better Security for Open-Source Projects
- Concerning Containers' Connections: on Docker Networking
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- My Network Go-Bag
- Firefox Security Exploit Targets Linux Users and Web Developers
- Doing Astronomy with Python
- Build a “Virtual SuperComputer” with Process Virtualization
- diff -u: What's New in Kernel Development
- Three More Lessons
- Calling All Linux Nerds!