Rolling Your Own Firewall

I've been hearing a lot of talk lately
about firewall appliances and how much of a pain they can be to
use. Many of them tend to be Windows-specific in various ways, or
they don't have all the flexibility us Penguin-heads have come to
know and love with iptables. So, I decided to see exactly how much
pain is involved in rolling your own firewall.A visit to the scrap closet netted me a beautiful little
machine: a Dell 486D/50, with 16MB of RAM, an 854MB Western Digital
hard drive, a floppy and a 3Com 3C509 NIC. Add to that a Viking
V.90 external modem, a second-hand 14" monitor and a keyboard to do
the install with (the sticker on the monitor says $29.95), and
we're ready to rip.With all that hard drive space sitting there (you, in the
back, stop snickering), I thought I'd go for something a little
more powerful than your average floppy-based distribution. Indeed,
I fired up LEAF for a few minutes, but realized I wanted a bit
more. I had been looking at Pebble, a Debian-based mid-sized
distribution, for a while, and it looked perfect for the job.
Pebble is designed to run on a 128MB Compact Flash chip, but it
works easily with other devices, including CD-ROM. It mounts root
read-only and keeps the log files and other writables on a 10MB RAM
disk; you can pull the plug on the box and lose only the logs.
Pebble also is ext3-based, so if you lose something while tweaking
the box, you don't have to fsck, which can be slow and painful on a
486.What the scrap closet did not contain, though, was a CD-ROM
device. How am I going to get the initial tarball over there? Easy.
Tom's Root-Boot. Make a quick stop at
www.toms.net/rb, suck
down the tarball, extract, run install.s and feed your running
machine a floppy. In a few minutes, you have a bootable
mini-Linux.Back to the 486 we go, boot tomsrtbt, mount the hard drive
(it had an old Slackware distribution on it), rm -rf
* (carefully!), mkdir /tmp and wget
the tarball over. Now, tar -xvjf--but no. Tom's
has a lot of stuff, but full-out GNU tar isn't one of them. You
have to do it the hard way:bzip2 -dc pebble.tar.bz2 | tar -xvf
-and much waiting ensues.Now, time to configure this little monster. Because Tom's is
sparse on tools, I typed chroot /mnt and used
Pebble's own tool set to configure it. First generate the SSH keys
per the README:

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

Now we have to make it bootable.

cp /etc/lilo-standard.conf /etc/lilo.conf
vi /etc/lilo.conf

The LILO setup assumes you have your compact Flash mounted on
your development machine as /dev/hde. Because we're configuring
in situ, we can take that part out and set the
boot stanza to /dev/hda as well. A call to lilo
-v, a reboot and we're done.It works--sort of. I had assumed Pebble would have a full
compliment of built-in NIC modules and my 3C509 would be
auto-detected. Wrong. So, run the remountrw script to make things
writable (it boots read-only remember), edit /etc/modules to load
3c509.o on boot, add alias eth0 3c509 to
/etc/modules/aliases, run update-modules and we have network. eth0
already was configured in /etc/network/interfaces, but you might
want to check it for your own use.The README indicates NoCat (a wireless access utility) is run
from /etc/inittab, so I went poking in there to make sure it was
turned off. It was, but I noticed that ttyS0, where I had the modem
plugged up, had a getty set to run on it. This is fine for a serial
console, but it's not fine when you want to use it for dial-out.
Although we could use something fancy, such as agetty, to make the
port bidirectional, I decided it was a lot faster and easier simply
to move the modem to ttyS1 (labelled COM2 on the back of the
Dell).A quick reboot to check the network settings, and we're ready
to start configuring things. Start with the modem; I see PPPD here
but no pppconfig. Well, the beauty of Pebble is it's Debian under
the hood.

apt-get update
apt-get install pppconfig
pppconfig

pppconfig brings up a dialog-based interface and lets you
plug in all the pertinent information to make your modem talk to
your ISP. My first pass at configuring didn't work so well; I
assumed my ISP was using a chat interface, but a double-check of
their web page revealed they were using PAP to authenticate. Fine.
Run pppconfig again, edit the configured interface, change
authentication type and done. pon
provider gave me a PPP link.Next, we tackle DHCP for our inside network. First rule of
computing: beg, borrow, steal and then write. I stole a working
config off my DSL firewall but promptly hit a snag. Pebble's DHCPD
is udhcpd, a mini version that doesn't do dynamic DNS updating,
which I had configured on my big firewall. When it got to the line
in the configuration for DynDNS, it gave me the computer equivalent
of "huh"? You don't grok that, do you, little guy? So, I commented
out that line, and DHCPD promptly fired up and was happy. For those
who haven't done this, look in /usr/share/doc/dhcp/examples on a
full-house Debian system and likely on most others, as well. Most
of what's there should be portable to udhcpd.Now that the inside and outside interfaces work, we have to
make them talk. Again, steal. If you have a working iptables setup,
you can borrow it. Otherwise, the IP Masquerade HOWTO has a
well-documented example or three; I won't try to repeat their fine
work. Drop that setup into place and voilà!--firewall on a
budget. And the beauty of it is, if you need to add
something--mini-web server, mail proxy--you can simply apt-get
it.Pebble can be pulled down from the
NYC Wireless web
site. It's only 17MB compressed; my final system ended up
being 81MB on the disk. Old 486 boxes can be found cheap or for
free in closets and second-hand PC shops. The latter is more likely
to carry Pentium-class machines, which can handle faster PCI
NICs--a good thing to have if you want to do this with DSL rather
than with a modem.Glenn Stone is a Red Hat
Certified Engineer, sysadmin, technical writer, cover model and
general Linux flunkie. He has been hand-building computers for fun
and profit since 1999, and he is a happy denizen of the Pacific
Northwest.

email: gs@liawol.org