Linux.com

Dancing with the Devil (the Devil-Linux firewall, that is)

Now, there are several Linux firewall products available, including the Mitel SME Server (formerly E-Smith Firewall and Gateway reviewed on NewsForge last year), but Devil-Linux approaches the problem a bit differently. Where the Mitel product is focused on ease of installation and administration, the Devil-Linux offering is much more techie in its configuration.

But the main feature of Devil-Linux is intriguing: It is designed to install without the use of a hard drive. The operating system requires the use of a CDROM and a write-protected floppy. The CDROM provides the operating system, and the floppy provides the configuration information, via a tarball that is unpacked into the /etc directory. In this way, the system is fully configurable, yet the running system has no writeable device.

Why is this helpful? If the system is compromised, it is impossible to install a stealth root kit. This means that a simple reboot will ensure that any compromising software has been removed.

But that's only half the equation. Any sysadmin worth his salt will point out that reloading the same software that was cracked is just re-arming a time bomb. If it was cracked once, it will be cracked again.

If it was a matter of a poor choice of security settings, you will need to edit the selections you made and recreate the floppy. If a software kit is at fault and Devil-Linux has already upgraded it, you will need to download a new CDROM ISO image from the Web site. If no patch is available yet, you will need to unpack the ISO image onto another machine, install a corrected executables from another source, and then rebuild and reburn the ISO image. The last option is not exactly kid stuff, but security doesn't always come with a candy coating.

Project background

The project's Web page points out that the naming of Devil-Linux does not have any religious significance. In a move reminiscent of the naming of Linux (where the person maintaining the FTP download site named the project after Linus Torvalds), a friend of the project leader suggested naming the project after a picture on the leader's T-shirt: a BSD-like Daemon.

Devil-Linux is a working firewall, but it is still at version 0.5b5, so it is still very much a work in progress. According to the Web page, additional capabilities are still on the drawing board, such as HTTP and FTP servers and an intrusion detection system. But for now, it is a functional firewall based on the Linux-from-Scratch project using a 2.4 kernel with a number of usable components.

Configuring the system

Setup is not for the total novice, but it does not require extensive expertise, either. You will need to be acquainted with basic sysadmin skills for a Linux system. If you can create tarballs and edit the configuration files normally kept in /etc, you should be ok.

The Web page at http://www.devil-linux.org/ does include reasonable documentation. It does not talk you through every edit of the config files, but it certainly gives you a good outline of the process of setting up this system. Having a copy of the short but informative documentation handy is advisable. It is included in the download kit.

First, you will need to download and burn a copy of the Devil-Linux ISO image. It's a straightforward operation if you have burned your own ISO images onto CDs before.

Once you have burned the CD, untar the file etc.tar.gz into a directory on your system. Yes, you will need to perform this action on a system other than that to be used as the firewall, because the configuration takes place before you ever boot the firewall.

The documentation suggests editing at least these files:

etc/resolv.conf
etc/sysconfig/config
etc/sysconfig/software
etc/sysconfig/nic/ifcfg-*

The information you will need to supply is precisely what you would expect. You will need to specify the drivers to use for each of the network cards as well as the normal network parameters. (IP address, netmasks, DNS server addresses, etc.)

You will also choose which services to start on the firewall. These services include such things as PPP, IPsec, SSH, Bind, PPPoE, DHCP, PPTP, LDAP, and SNMP. Configuration of most of these services is straightforward for a moderately experienced administrator.

Some normal configuration options are notable by their absence. There is no need to configure sound cards or define X Windows parameters. As a dedicated server, Devil-Linux has no need for such things. And that simplifies the setup process greatly.

Once you have set up the configuration files, you will need to recreate the /etc tarball and place it on a DOS-formatted floppy disk. Once you have copied the file onto the floppy, set the write-protect tab on the diskette. This will prevent any crackers from potentially modifying the configuration information.

Execution

This is the one point where the beta-ness of the code showed up. I had two first-generation Pentium boxes that absolutely refused to boot the Devil-Linux kernel. Normally, you can boot straight from the CD, but you have the option of booting from a DOS floppy if your machine is old enough not to support booting from CDs. Unfortunately, neither technique worked. An error was reported from the ISOLINUX module. However, several other machines I own booted just fine, including a 486 and an Athlon box.

Once the system begins booting, it will check to see if the needed floppy disk has been inserted into the machine. If not, it will noisily remind you to insert the disk. Once the disk is inserted, the machine finishes booting.

That's it. Pretty simple.

Because my normal firewall box was one of the Pentium boxes that refused to boot up, I could not test the firewall quite as extensively as I normally would have. However, the test box seemed to perform its function well, keeping to a lean-and-mean firewall concept. It started the daemons it required, and not much else. Just what the doctor ordered.

Modifications

If you need to patch or enhance the system for your needs, there is a short but helpful document that describes how you can easily recompile and rebuild the distribution. This could be quite helpful for creating highly tailored firewalls, if needed.

As I mentioned earlier, Devil-Linux is still in development. This means that there is still room for improvements and enhancements. If you find that this project fits your needs, or at least comes close, you might want to contribute to the development process. I'm sure that the development team would welcome the help.

Summary

Devil-Linux is a nice little firewall that could have a bright future. It is not suitable for every occasion (especially in places without a sysadmin handy), but I don't doubt that many technical people will find places to employ this project. If you want a tight little firewall that only does what you want it to, check out Devil-Linux.