Rolling Your Own Firewall

How to use Pebble, a Debian-lite distribution, to get your homemade firewall up and running.

I've been hearing a lot of talk lately about firewall appliances and how much of a pain they can be to use. Many of them tend to be Windows-specific in various ways, or they don't have all the flexibility us Penguin-heads have come to know and love with iptables. So, I decided to see exactly how much pain is involved in rolling your own firewall.

A visit to the scrap closet netted me a beautiful little machine: a Dell 486D/50, with 16MB of RAM, an 854MB Western Digital hard drive, a floppy and a 3Com 3C509 NIC. Add to that a Viking V.90 external modem, a second-hand 14" monitor and a keyboard to do the install with (the sticker on the monitor says $29.95), and we're ready to rip.

With all that hard drive space sitting there (you, in the back, stop snickering), I thought I'd go for something a little more powerful than your average floppy-based distribution. Indeed, I fired up LEAF for a few minutes, but realized I wanted a bit more. I had been looking at Pebble, a Debian-based mid-sized distribution, for a while, and it looked perfect for the job. Pebble is designed to run on a 128MB Compact Flash chip, but it works easily with other devices, including CD-ROM. It mounts root read-only and keeps the log files and other writables on a 10MB RAM disk; you can pull the plug on the box and lose only the logs. Pebble also is ext3-based, so if you lose something while tweaking the box, you don't have to fsck, which can be slow and painful on a 486.

What the scrap closet did not contain, though, was a CD-ROM device. How am I going to get the initial tarball over there? Easy. Tom's Root-Boot. Make a quick stop at, suck down the tarball, extract, run install.s and feed your running machine a floppy. In a few minutes, you have a bootable mini-Linux.

Back to the 486 we go, boot tomsrtbt, mount the hard drive (it had an old Slackware distribution on it), rm -rf * (carefully!), mkdir /tmp and wget the tarball over. Now, tar -xvjf--but no. Tom's has a lot of stuff, but full-out GNU tar isn't one of them. You have to do it the hard way:

bzip2 -dc pebble.tar.bz2 | tar -xvf -

and much waiting ensues.

Now, time to configure this little monster. Because Tom's is sparse on tools, I typed chroot /mnt and used Pebble's own tool set to configure it. First generate the SSH keys per the README:

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

Now we have to make it bootable.

cp /etc/lilo-standard.conf /etc/lilo.conf
vi /etc/lilo.conf

The LILO setup assumes you have your compact Flash mounted on your development machine as /dev/hde. Because we're configuring in situ, we can take that part out and set the boot stanza to /dev/hda as well. A call to lilo -v, a reboot and we're done.

It works--sort of. I had assumed Pebble would have a full compliment of built-in NIC modules and my 3C509 would be auto-detected. Wrong. So, run the remountrw script to make things writable (it boots read-only remember), edit /etc/modules to load 3c509.o on boot, add alias eth0 3c509 to /etc/modules/aliases, run update-modules and we have network. eth0 already was configured in /etc/network/interfaces, but you might want to check it for your own use.

The README indicates NoCat (a wireless access utility) is run from /etc/inittab, so I went poking in there to make sure it was turned off. It was, but I noticed that ttyS0, where I had the modem plugged up, had a getty set to run on it. This is fine for a serial console, but it's not fine when you want to use it for dial-out. Although we could use something fancy, such as agetty, to make the port bidirectional, I decided it was a lot faster and easier simply to move the modem to ttyS1 (labelled COM2 on the back of the Dell).

A quick reboot to check the network settings, and we're ready to start configuring things. Start with the modem; I see PPPD here but no pppconfig. Well, the beauty of Pebble is it's Debian under the hood.

apt-get update
apt-get install pppconfig

pppconfig brings up a dialog-based interface and lets you plug in all the pertinent information to make your modem talk to your ISP. My first pass at configuring didn't work so well; I assumed my ISP was using a chat interface, but a double-check of their web page revealed they were using PAP to authenticate. Fine. Run pppconfig again, edit the configured interface, change authentication type and done. pon provider gave me a PPP link.

Next, we tackle DHCP for our inside network. First rule of computing: beg, borrow, steal and then write. I stole a working config off my DSL firewall but promptly hit a snag. Pebble's DHCPD is udhcpd, a mini version that doesn't do dynamic DNS updating, which I had configured on my big firewall. When it got to the line in the configuration for DynDNS, it gave me the computer equivalent of "huh"? You don't grok that, do you, little guy? So, I commented out that line, and DHCPD promptly fired up and was happy. For those who haven't done this, look in /usr/share/doc/dhcp/examples on a full-house Debian system and likely on most others, as well. Most of what's there should be portable to udhcpd.

Now that the inside and outside interfaces work, we have to make them talk. Again, steal. If you have a working iptables setup, you can borrow it. Otherwise, the IP Masquerade HOWTO has a well-documented example or three; I won't try to repeat their fine work. Drop that setup into place and voilà!--firewall on a budget. And the beauty of it is, if you need to add something--mini-web server, mail proxy--you can simply apt-get it.

Pebble can be pulled down from the NYC Wireless web site. It's only 17MB compressed; my final system ended up being 81MB on the disk. Old 486 boxes can be found cheap or for free in closets and second-hand PC shops. The latter is more likely to carry Pentium-class machines, which can handle faster PCI NICs--a good thing to have if you want to do this with DSL rather than with a modem.

Glenn Stone is a Red Hat Certified Engineer, sysadmin, technical writer, cover model and general Linux flunkie. He has been hand-building computers for fun and profit since 1999, and he is a happy denizen of the Pacific Northwest.




Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Rolling Your Own Firewall

Anonymous's picture

Is it possible to strip this down to fit on a 32mb compact flash card ?
I only need two nics, iptable, nat, vi, telnet, no mail or www, maybe crontab and logs?
can I configure this from within redhat 9 and then make an iso image and copy it to a cf card preconfigured?

Re: Rolling Your Own Firewall

Anonymous's picture

A more usefull link might be:

This site offers a small firewall distro that would fit on 32 mb compact flash. Or try Floppyfw for a really tiny firewall. I've used it for years and it works ver well indeed.

-Ted Clark

Re: Rolling Your Own Firewall

Anonymous's picture

Flash is cheap! Here, kid, here's a quarter, go get yourself a 64M compact flash!

Re: Rolling Your Own Firewall

Anonymous's picture

An excellently written computer conquest story. This little fun-embedding and informative reads like prose. The author does a great job of introducing a linux amateour or a professional to pebble and debian.

Re: Rolling Your Own Firewall

Anonymous's picture

Pebble works well for running wireless nodes with the NoCatAuth backend authentication system. NoCatAuth is a distributed auth system which splits the authentication logic across a central auth server and several "gateways" on the network. Pebble is great to run these gateways. Having built-in support for HostAP, one can also run the gateway *and* the accesspoint by using a prism2 based wifi card.

Most discussion can be found at pebble's mailinglist [] and at

Re: Rolling Your Own Firewall---> LEAF!

Anonymous's picture

Save yourself all the hassle, and help contribute to LEAF

Re: Rolling Your Own Firewall---> LEAF!

Anonymous's picture

or perhaps :)

Re: Rolling Your Own Firewall

Anonymous's picture

I would like to see how you set p your 'larger' firewall, especially the part about the dhcpd and dynamin dns updates.

I think that would be quite valuable as well.

Re: Rolling Your Own Firewall

Anonymous's picture

I haven't tried Pebble, but I wouldn't disregard LEAF so

quickly. By its nature a firewall should be kept small and

simple. I think LEAF Bering (and its uclibc counterpart)

accomplishes this quite well!

I guess I just not sure what the author is looking for when

he says, "Indeed, I fired up LEAF for a few minutes, but

realized I wanted a bit more."

Perhaps one hurdle to LEAF is upgrading it. The generous

LEAF developers release new versions every couple of months

or so, and I don't know of an easy way to upgrade to new

releases without building a new boot floppy from scratch.


I had the exact same

Anonymous's picture

I had the exact same impression of leaf when I fired it up. leaf is targeted directly at being an "out of the box" firewall(such as m0n0wall), at least that is what it looked like to me when i tried it. Pebble is a little less specific in its operation, but still targets the same crowd. I found it to be much easier to modify, especially when it comes to modifying the underlying functions of the firewall itself(such as being ipv6 based instead of ipv4) or, in my case, adding a nifty napt daemon. Nothing against leaf and I am sure that what I wanted to be done could be done with it, but you have to "know" how to do it with leaf. With pebble it is just about the same as using any other linux distro out there.

Re: Rolling Your Own Firewall

Anonymous's picture

I've used Coyote Linux router/firewall and it's very easy to configure with shell scripts that you can download from

Re: Rolling Your Own Firewall

Anonymous's picture

I read the article in the hope it would give me hints about how to set up a firewall using iptables, but it was all about installing pebble. I think the title "Rolling out your own firewall" is misleading, it should have been something like "Installing Pebble - the mini debian distro on an 486".

Ok, the Pebble distribution seems to be something I like to take a look at later, is it as easy to upgrade like Debian is, apt-get update; apt-get upgrade and your done ?


One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix