Rolling Your Own Firewall
I've been hearing a lot of talk lately about firewall appliances and how much of a pain they can be to use. Many of them tend to be Windows-specific in various ways, or they don't have all the flexibility us Penguin-heads have come to know and love with iptables. So, I decided to see exactly how much pain is involved in rolling your own firewall.
A visit to the scrap closet netted me a beautiful little machine: a Dell 486D/50, with 16MB of RAM, an 854MB Western Digital hard drive, a floppy and a 3Com 3C509 NIC. Add to that a Viking V.90 external modem, a second-hand 14" monitor and a keyboard to do the install with (the sticker on the monitor says $29.95), and we're ready to rip.
With all that hard drive space sitting there (you, in the back, stop snickering), I thought I'd go for something a little more powerful than your average floppy-based distribution. Indeed, I fired up LEAF for a few minutes, but realized I wanted a bit more. I had been looking at Pebble, a Debian-based mid-sized distribution, for a while, and it looked perfect for the job. Pebble is designed to run on a 128MB Compact Flash chip, but it works easily with other devices, including CD-ROM. It mounts root read-only and keeps the log files and other writables on a 10MB RAM disk; you can pull the plug on the box and lose only the logs. Pebble also is ext3-based, so if you lose something while tweaking the box, you don't have to fsck, which can be slow and painful on a 486.
What the scrap closet did not contain, though, was a CD-ROM device. How am I going to get the initial tarball over there? Easy. Tom's Root-Boot. Make a quick stop at www.toms.net/rb, suck down the tarball, extract, run install.s and feed your running machine a floppy. In a few minutes, you have a bootable mini-Linux.
Back to the 486 we go, boot tomsrtbt, mount the hard drive (it had an old Slackware distribution on it), rm -rf * (carefully!), mkdir /tmp and wget the tarball over. Now, tar -xvjf--but no. Tom's has a lot of stuff, but full-out GNU tar isn't one of them. You have to do it the hard way:
bzip2 -dc pebble.tar.bz2 | tar -xvf -
and much waiting ensues.
Now, time to configure this little monster. Because Tom's is sparse on tools, I typed chroot /mnt and used Pebble's own tool set to configure it. First generate the SSH keys per the README:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
Now we have to make it bootable.
cp /etc/lilo-standard.conf /etc/lilo.conf vi /etc/lilo.conf
The LILO setup assumes you have your compact Flash mounted on your development machine as /dev/hde. Because we're configuring in situ, we can take that part out and set the boot stanza to /dev/hda as well. A call to lilo -v, a reboot and we're done.
It works--sort of. I had assumed Pebble would have a full compliment of built-in NIC modules and my 3C509 would be auto-detected. Wrong. So, run the remountrw script to make things writable (it boots read-only remember), edit /etc/modules to load 3c509.o on boot, add alias eth0 3c509 to /etc/modules/aliases, run update-modules and we have network. eth0 already was configured in /etc/network/interfaces, but you might want to check it for your own use.
The README indicates NoCat (a wireless access utility) is run from /etc/inittab, so I went poking in there to make sure it was turned off. It was, but I noticed that ttyS0, where I had the modem plugged up, had a getty set to run on it. This is fine for a serial console, but it's not fine when you want to use it for dial-out. Although we could use something fancy, such as agetty, to make the port bidirectional, I decided it was a lot faster and easier simply to move the modem to ttyS1 (labelled COM2 on the back of the Dell).
A quick reboot to check the network settings, and we're ready to start configuring things. Start with the modem; I see PPPD here but no pppconfig. Well, the beauty of Pebble is it's Debian under the hood.
apt-get update apt-get install pppconfig pppconfig
pppconfig brings up a dialog-based interface and lets you plug in all the pertinent information to make your modem talk to your ISP. My first pass at configuring didn't work so well; I assumed my ISP was using a chat interface, but a double-check of their web page revealed they were using PAP to authenticate. Fine. Run pppconfig again, edit the configured interface, change authentication type and done. pon provider gave me a PPP link.
Next, we tackle DHCP for our inside network. First rule of computing: beg, borrow, steal and then write. I stole a working config off my DSL firewall but promptly hit a snag. Pebble's DHCPD is udhcpd, a mini version that doesn't do dynamic DNS updating, which I had configured on my big firewall. When it got to the line in the configuration for DynDNS, it gave me the computer equivalent of "huh"? You don't grok that, do you, little guy? So, I commented out that line, and DHCPD promptly fired up and was happy. For those who haven't done this, look in /usr/share/doc/dhcp/examples on a full-house Debian system and likely on most others, as well. Most of what's there should be portable to udhcpd.
Now that the inside and outside interfaces work, we have to make them talk. Again, steal. If you have a working iptables setup, you can borrow it. Otherwise, the IP Masquerade HOWTO has a well-documented example or three; I won't try to repeat their fine work. Drop that setup into place and voilà!--firewall on a budget. And the beauty of it is, if you need to add something--mini-web server, mail proxy--you can simply apt-get it.
Pebble can be pulled down from the NYC Wireless web site. It's only 17MB compressed; my final system ended up being 81MB on the disk. Old 486 boxes can be found cheap or for free in closets and second-hand PC shops. The latter is more likely to carry Pentium-class machines, which can handle faster PCI NICs--a good thing to have if you want to do this with DSL rather than with a modem.
Glenn Stone is a Red Hat Certified Engineer, sysadmin, technical writer, cover model and general Linux flunkie. He has been hand-building computers for fun and profit since 1999, and he is a happy denizen of the Pacific Northwest.
Editorial Advisory Panel
Thank you to our 2014 Editorial Advisors!
- Jeff Parent
- Brad Baillio
- Nick Baronian
- Steve Case
- Chadalavada Kalyana
- Caleb Cullen
- Keir Davis
- Michael Eager
- Nick Faltys
- Dennis Frey
- Philip Jacob
- Jay Kruizenga
- Steve Marquez
- Dave McAllister
- Craig Oda
- Mike Roberts
- Chris Stark
- Patrick Swartz
- David Lynch
- Alicia Gibb
- Thomas Quinlan
- Carson McDonald
- Kristen Shoemaker
- Charnell Luchich
- James Walker
- Victor Gregorio
- Hari Boukis
- Brian Conner
- David Lane