Linux: Linux from Scratch - CF Firewall
The idea of a Linux based firewall is nothing new. A very mature and flexible networking sub-system, along with strong and configurable kernel based packet filter makes Linux a good candidate for this job at the outer edge of any network. The fact that Linux is reliable and seldom crashes is really the icing on the cake.
Receptive IT started development on a Linux distribution, based on Debian, to leverage this flexibility and power. The initial development, started by Garth Berry in 2001, had two objectives. It had to be small enough to fit onto a 32Mb Compact flash card, and it had to be be small enough to fit the majority of the OS into a ramdisk.
Alex Ferrara took over development in June 2004. The main changes where the addition of L2TP/Ipsec VPNs, support for multiple WAN interfaces, a simple web interface aimed at non-technical customers and a 2.6 Kernel. At this stage, the original design was mainly unchanged from Garths original CF Firewall, with a compressed ext2 filesystem that gets loaded into RAM at boottime, and some aspects of the filesystem, namely /etc, sitting on the CF card.
In September 2007, development shifted focus, with Alex finding a similar project called Cflinux. Cflinux was being developed by Richard Kojedzinszky and took the approach of compiling all the components from sources, and having a packaging system for items that are considered optional, and utilising busybox for many of the core tools. This appealed to Alex, as the time needed to add packages would be greatly reduced.
You can download a copy of Cflinux from the official website downloads.
For instructions on installation, simply read the information in the tar!
Once you have installed Cflinux, you will be able to boot your machine from your CF card. Log in to your new Cflinux box as root and change your password.
(none) login: root Password: cfdef --------- | Flash | ^^^^^^^^^ + Software version: 1.0p11-pre1 (2007/09/07-6.00.31 UTC rev=545) (none) /etc/root # passwd Changing password for root New password:******** Retype password:******** Password for root changed by root (none) /etc/root # savedata
One of the first things we should do is change our hostname from the default hostname of (none), to something useful. Cflinux takes the BSD approach of putting all the settings in a single /etc/rc.conf file. If this is a new installation, chances are that /etc/rc.conf does not exist yet. We will change our firewalls hostname to firewall and reboot so changes can take effect. Rebooting is completely optional at this point, but it will let you know that your configuration file is getting parsed.
(none) /etc/root # echo hostname=\"something\" >> /etc/rc.conf (none) /etc/root # savedata (none) /etc/root # reboot
Inserting Kernel Modules
Cflinux uses the /etc/modules file to load kernel modules at boottime. If there is no /etc/modules file, it will use the default of /usr/share/defaults/etc/modules. It is a good idea to create our own modules file to suit our needs. My firewall uses some four port network cards that need the tulip driver, but you should put in whatever driver you require for your hardware.
firewall /etc/root # echo tulip >> /etc/modules firewall /etc/root # savedata firewall /etc/root # reboot
Setting Network Configuration
To make our firewall even remotely useful, we will need to set our LAN network configuration. This is the trusted side of our firewall where our network clients will be pugged into. Once we have accomplished this, we will have SSH access into our firewall, so we can log in remotely .
firewall /etc/root # vi /etc/rc.network firewall /etc/root # savedata
Change the bold text to suit your network layout. The example will set the first ethernet card eth0 to have the IP address of 10.0.0.254 with the subnet mask of 255.255.255.0.
#!/bin/sh # Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ip link set lo up ip addr add 127.0.0.1/8 dev lo ip link set eth0 up ip addr add 10.0.0.254/24 dev eth0
Linux systems use a file called /etc/hosts to do primary name resolution. We should put an entry into that to reflect our hostname and IP address.
firewall /etc/root # vi /etc/hosts firewall /etc/root # savedata
Change the bold text to suit your hostname and network IP address.
# /etc/hosts file 127.0.0.1 localhost localhost 10.0.0.254 firewall