Building a Diskless 2.6 Firewall
Want to build a custom router/firewall for your home network? You can obtain the necessary hardware virtually for free from garage sales or on-line auctions. You even might have some old hardware lying around. A Pentium-class system is more than sufficient and can handle the stress well. Typically, we don't need much memory, but I recommend at least 16MB of RAM. In place of a hard disk, we can use a compact Flash, or CF, card. CF has some nifty features, such as on-board error detection and correction to minimize Flash wear. Due to a full-fledged IDE interface, it also can be used as a normal IDE device. You do need an adapter to connect the card, though. We are going to use only two to three megabytes, so the size of the card doesn't really matter.
For now, we are going to build a machine with the following features: iptables firewall, SSH dæmon, DHCP server and DNS server. Because we're going to build a Linux system completely from scratch, we need a fair amount of software. The usual Linux tools aren't built for embedded systems, they're loaded with features we don't need. This is where BusyBox, the Swiss Army knife of embedded Linux, comes into play. We can exchange most of our needed tools with BusyBox, for instance a shell, ifconfig, ip tools and so on. We then need a bootloader, a C library, iptables, an SSH server and a DNS server. We are going to use the new 2.6.1 kernel release, which introduces some issues we'll deal with later.
I use GRUB as the bootloader, but any recent loader should do. iptables, the 1.2.9 version, is the choice for our firewalling software, and Dropbear serves as our SSH dæmon. Finally, we use the handy dnsmasq program, basically a stripped down yet fully functional DNS server to forward our requests to your ISP's DNS servers.
The biggest problem I faced was the C library, libc. I opted for the lightweight library uClibc. It's a C library for embedded systems that comes with a whole toolchain. The development environment can be installed easily by getting the installer tar file from uclibc.org/cgi-bin/cvsweb/toolchain/gcc-3.3.x.tar.gz?view=tar. Unpack it and edit the Makefile in the toolchain directory, then type make. This downloads, compiles and installs a toolchain for your platform. It takes some time to install it, mostly depending on your Internet connection. After it's finished you are presented with a directory named toolchain_ARCHITECTURE (for example, toolchain_i386) containing all libraries, header files and a cross-compiler needed later.
One of the biggest questions is “What filesystem should I use?” Compact Flash cards are shipped formatted with VFAT, which probably isn't the best choice for Linux. The obvious choice would be ext3, but you should be concerned about the Flash wear that affects all Flash-based devices sooner or later. All Flash-based media fails after a certain amount of write cycles; compact Flash usually fails at around a million. That might sound like a lot, but the journaling function of the filesystem would kill the Flash eventually. For simplicity, we use the ext2 filesystem, which we mount read-only. To configure the router, you have to remount the disk writeable.
Hook up the card to a USB reader or use an IDE adapter, and use your favourite fdisk program to create a new partition. One partition the size of your Flash should suffice. Then issue the command /sbin/mkfs.ext2 -m0 /dev/[flash] to create a new ext2 filesystem.
Issue the command tune2fs -c0 -i0 /dev/[flash] to turn off the automatic filesystem checking and the warning that the filesystem should be checked for errors. Because we use it read-only, we don't need to worry about errors too much. Mount the disk and proceed.
The new kernel has seen some major improvements, the first and most obvious being the new graphical configuration menu. It is invoked by either make gconfig or make xconfig for the GTK+ or Qt-based application, respectively (Figure 1). Using these new GUIs, configuring the kernel is a snap, easier than ever before.
One thing you might want to consider when compiling the kernel for the router is that BusyBox's module support appears to be somewhat flaky with the new 2.6 modules. We can dodge that problem easily by compiling a non-modular kernel that offers the nice side-effect that we can forget about the module-related utilities.
Feature-wise I advise you to check all iptables-related options and the driver for your network cards. We can leave most other options unchecked unless you need them. Remember, the less we choose to add, the less space the kernel needs. Be sure to compile all options statically, though, because we aren't using the modules.
When finished, enter make and watch the new, tidied compilation process. Create a directory boot on your compact Flash and cp the kernel from arch/i386/boot/ to /mnt/cf/boot/.
- How to Deliver Hybrid Apps in 2 Weeks [Webcast]
- One Port to Rule Them All!
- Secure Server Deployments in Hostile Territory
- Django Templates
- PHP for Non-Developers
- Linux Kernel 4.1 Released
- Privacy Is Personal
- July 2015 Issue of Linux Journal: Mobile
- The AtoMiC Toolkit!
- Practical Books for the Most Technical People on the Planet