Floppy-based distributions usually come with only a few simple utilities for file and system management, and that is one of their real strengths. If an intruder does gain access to your system, there is very little to use to further compromise your security. In this Daily Feature, I will cover the procedure to install and configure the floppyfw distribution. This distribution provides a Linux gateway/router capable of running as a firewall for your network. The firewall included with floppyfw has fewer capabilities than a complete firewall, but it is a cost-effective solution for small and medium-sized networks. I’ve also created a download you can use to strengthen the floppyfw firewall feature after you’ve installed and configured it.
What you need
- 1. The latest release of floppyfw.
- 2. Any PC with a 386sx or faster processor, a 3.5-inch floppy drive, and 8 MB of RAM. A Pentium PC is recommended. A Pentium machine will have more PCI slots available, which will allow the use of two PCI network interface cards (NICs). Although floppyfw will work with ISA cards, some additional configuration may be required. The floppyfw distribution will usually detect compatible PCI cards with no problems.
- 3. Two network interface cards (NICs)—floppyfw supports the following types of NICs:
- · NE2000 compatible
- · Tulip-based
- · Intel EtherExpress PCI
- · 3Com 3c509
Although the minimum RAM required for floppyfw is 8 MB, more memory will allow for more efficient operation.
For this Daily Feature, I used the floppyfw-current.img image, which is the most reliable version of floppyfw. Although the latest version of floppyfw includes the Linux 2.4 kernel and support for iptables, it’s still considered beta.
Step 1: Make the floppyfw boot floppy
Once you have the image downloaded, you can create the floppyfw boot floppy. Run the following command, as root, from the directory where the image is located:
dd if=floppyfw-current.img of=/dev/fd0 bs=72k
Step 2: Configure floppyfw
After the boot floppy is created, the next step is to configure floppyfw to meet your requirements. You will need to edit two configuration files. The first is the config file, which serves three purposes:
- 4. The TCP/IP settings for the floppyfw box are set using this file.
- 5. Console Shell access is permitted or denied through the config file.
- 6. The administrator enables or disables use of the syslog daemon with this file.
For this example, I used the following settings:
- · The floppyfw machine is connected to the ISP using a static IP address.
- · The interface connected to the ISP is eth0. The IP address of eth0 is 10.37.72.163.
- · The interface connected to the internal network is eth1. The IP address for eth1 is 22.214.171.124.
- · Logging through the syslog daemon is enabled.
- · Because the machine used for floppyfw has more than 12 MB of RAM, the ONLY_8M option is set to "no."
The actual config file looks like this. Once the correct settings for your network are entered, the next step is to configure logging.
Step 3: Configure logging
The default for floppyfw is to log all activity to the local console. However, you may want one of the workstations on your network to act as a logging host. To set up remote logging, take two steps:
- 1. Edit the syslog.cfg file on the floppyfw boot floppy and log any information you want logged to the IP address of the remote host. In Example 1, I have logged all activity to the workstation at 126.96.36.199.
Example 1: Logging to a remote host
# log everything to a remote host.
# auth.* /dev/tty5
# daemon.*;local2.* -/dev/tty6
# kern.* -/dev/tty7
# daemon.none; -/dev/tty8
- 2. On the machine being used as the logging host, edit the /etc/rc.d/init/syslog file and make sure the syslog daemon starts with the -r option. This will allow the syslog daemon to run on the logging host and receive logging information over the network. Example 2 shows a section from the /etc/rc.d/init.d/syslog file, with syslogd configured to receive logging messages over the network. The line
is used to start syslog for logging over the network.
Once you have completed these steps, write-protect the boot floppy. When floppyfw is running, no information is written to the disk. Once this step is completed, you're ready to test your installation.
Step 4: Test the installation
Once you have the installation completed, insert the floppyfw boot floppy into the machine used for routing/firewalling and reboot. Then, run the following commands from the console:
ping -c 3 www.linux.org
If you are able to ping www.linux.org, your floppyfw machine is able to access the Internet. The next step is to check that the floppyfw machine has access to the internal network. Run the following command:
ping -c 3 <IP-address-on internal network>
You should see results similar to these. If you get these results, the floppyfw machine has access to the Internet and the internal network.
The next step is to attempt Internet access from a workstation on the internal network. First, if you are using a Linux workstation, run the following command to make sure the workstation is using eth1 on the floppy machine as its default gateway:
route add default gw 188.8.131.52 dev eth0
If you are using a Windows machine, run the command
from a command prompt and enter the appropriate TCP/IP addressing information for the workstation. Then run the ping -c 3 184.108.40.206 command from the command prompt or MS-DOS prompt; you should see results similar to this.
If you get similar results, your workstation has Internet access. If any of the attempts to ping the Internet or internal network fail, check the config file on the floppyfw machine. Make sure all of the TCP/IP entries are entered correctly.
If all of your ping attempts have run properly, floppyfw is installed and is now operating as a gateway/router for your internal network with masquerading enabled.
Step 5: Build the firewall
The firewall script for floppyfw is in the firewall.ini file. This script configures a very minimal firewall. Besides configuring basic policies, setting up masquerading, configuring masquerade timeouts, setting up ssh delay, and rejecting traffic destined to a few ports, there isn’t a lot of firewalling capability included with floppyfw. The name of the program suggests a strong script may be included, but the actual purpose is to provide an environment for building a firewall with minimal demands on your system.
You can download this example of a much stronger firewall.ini file, make necessary changes according to your networking needs, and insert it into the firewall.ini file. It includes:
- · Defining loopback and trusted network connections
- · Distinguishing between internal and external NICs
- · Setting up logging
- · Debugging options
- · Protection from TCP SYN cookies
- · IP spoof protection
- · Defragging protection
- · Broadcast echo protection
- · Bad error message protection
- · Source address verification
- · ICMP redirect denial
- · Disabling of source routed packets
- · Defining INPUT rules
- · Restricting of access from specified hosts
- · Denying connections to many vulnerable ports
If you’re looking for an amazingly simple and reliable gateway/firewall, the floppyfw Linux distribution is an efficient way to provide these capabilities for small to medium-sized networks. When cost or resources are issues on your network, floppyfw provides an inexpensive solution without the requirement of administering a complex server environment.