Linux: Linux from Scratch - CF Firewall

From ReceptiveIT
Jump to: navigation, search

Introduction

The idea of a Linux based firewall is nothing new. A very mature and flexible networking sub-system, along with strong and configurable kernel based packet filter makes Linux a good candidate for this job at the outer edge of any network. The fact that Linux is reliable and seldom crashes is really the icing on the cake.

Receptive IT started development on a Linux distribution, based on Debian, to leverage this flexibility and power. The initial development, started by Garth Berry in 2001, had two objectives. It had to be small enough to fit onto a 32Mb Compact flash card, and it had to be be small enough to fit the majority of the OS into a ramdisk.

Alex Ferrara took over development in June 2004. The main changes where the addition of L2TP/Ipsec VPNs, support for multiple WAN interfaces, a simple web interface aimed at non-technical customers and a 2.6 Kernel. At this stage, the original design was mainly unchanged from Garths original CF Firewall, with a compressed ext2 filesystem that gets loaded into RAM at boottime, and some aspects of the filesystem, namely /etc, sitting on the CF card.

In September 2007, development shifted focus, with Alex finding a similar project called Cflinux. Cflinux was being developed by Richard Kojedzinszky and took the approach of compiling all the components from sources, and having a packaging system for items that are considered optional, and utilising busybox for many of the core tools. This appealed to Alex, as the time needed to add packages would be greatly reduced.

Installation

You can download a copy of Cflinux from the official website downloads.

For instructions on installation, simply read the information in the tar!

First Boot

Initial Login

Once you have installed Cflinux, you will be able to boot your machine from your CF card. Log in to your new Cflinux box as root and change your password.

(none) login: root
Password: cfdef

  ---------
  | Flash |
  ^^^^^^^^^

+ Software version: 1.0p11-pre1 (2007/09/07-6.00.31 UTC rev=545)

(none) /etc/root # passwd
Changing password for root
New password:********
Retype password:********
Password for root changed by root
(none) /etc/root # savedata

Basic Settings

Setting Hostname

One of the first things we should do is change our hostname from the default hostname of (none), to something useful. Cflinux takes the BSD approach of putting all the settings in a single /etc/rc.conf file. If this is a new installation, chances are that /etc/rc.conf does not exist yet. We will change our firewalls hostname to firewall and reboot so changes can take effect. Rebooting is completely optional at this point, but it will let you know that your configuration file is getting parsed.

(none) /etc/root # echo hostname=\"something\" >> /etc/rc.conf
(none) /etc/root # savedata
(none) /etc/root # reboot

Inserting Kernel Modules

Cflinux uses the /etc/modules file to load kernel modules at boottime. If there is no /etc/modules file, it will use the default of /usr/share/defaults/etc/modules. It is a good idea to create our own modules file to suit our needs. My firewall uses some four port network cards that need the tulip driver, but you should put in whatever driver you require for your hardware.

firewall /etc/root # echo tulip >> /etc/modules
firewall /etc/root # savedata
firewall /etc/root # reboot

Setting Network Configuration

To make our firewall even remotely useful, we will need to set our LAN network configuration. This is the trusted side of our firewall where our network clients will be pugged into. Once we have accomplished this, we will have SSH access into our firewall, so we can log in remotely .

firewall /etc/root # vi /etc/rc.network
firewall /etc/root # savedata

Change the bold text to suit your network layout. The example will set the first ethernet card eth0 to have the IP address of 10.0.0.254 with the subnet mask of 255.255.255.0.

#!/bin/sh

# Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

ip link set lo up
ip addr add 127.0.0.1/8 dev lo

ip link set eth0 up
ip addr add 10.0.0.254/24 dev eth0

Name Resolution

Linux systems use a file called /etc/hosts to do primary name resolution. We should put an entry into that to reflect our hostname and IP address.

firewall /etc/root # vi /etc/hosts
firewall /etc/root # savedata

Change the bold text to suit your hostname and network IP address.

# /etc/hosts file
127.0.0.1	localhost	localhost
10.0.0.254	firewall