Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Devil-Linux 1.0: The (hell)firewall
By Robin 'Roblimo' Miller
on
October 31, 2003 (8:00:00 AM)
Share
Print
Comments
Today, Halloween, marks the debut of Devil-Linux 1.0, a runs-from-CD (or USB flash device) firewall/router distribution designed to give you a large amount of security in return for very little setup work. The Halloween release date and the 'Devil-Linux' name itself were chosen for humor value, not for religious reasons. The Devil-Linux developers tend to be light-hearted, but don't let their conversational silliness fool you: This is serious software with a serious purpose.
Obviously, an operating system that runs from a CD can't be altered by someone who tries to take control of the computer it's on from a remote location. This is a better anti-hacker defense than any obscure password or software-based protection scheme ever developed.
One of the biggest improvements in the new 1.0 version is a curses-based setup utility that brings GUI-like administration capability to what is otherwise a command line-based, stripped-down distribution. This utility basically does everything necessary to configure Devil-Linux to the level of a "hardware broadband firewall/router," plus a little extra: You can set up two or three network cards; you can configure a standard firewall script with IP-Masquerading/NAT; and you can configure a DHCP server for your internal network.
This addition is primarily the work of Bruce Smith, who has also taken on the task of publicizing Devil-Linux, which has been a low-profile, low-key project until now, with six current developers listed at SourceForge, and fewer than 200 subscribers on its general discussion e-mail list.
In an instant messenger conversation yesterday, Bruce said, "I don't think the membership on the list means much, since I personally use a lot of software that I'm not a member of their mailing lists."
Bruce joined the project in May. It was started in mid-2002 by Heiko Zuerker, who Bruce told us "is still project leader and developer."
Not a desktop distribution
X-window is not part of Devil-Linux. The only way you can browse the Web through it is with Lynx or another text-based browser. But the lack of an X-based graphical desktop is what makes it able to run at a decent speed directly from a CD.
However, Devil-Linux 1.0 can be used as a server. This is functionality in the 1.0 release that was not previously available, but server use requires caution. Bruce says, "I know some people who run services on their firewall because of lack of funds for more PCs, but we don't recommend that because that lessens security."
Another option is to create a virtual server with VMware or a similar utility. Bruce says, "Devil-Linux runs great in VMware. All of the developers use VMware for testing. It saves a LOT of time. You don't even have to burn a CD, just point VMware's CD to the ISO image, and point the floppy to another image (to save the config).
"I don't know of anyone who runs Devil-Linux as a production firewall in VMware, but I don't know why it wouldn't work fine."
No strong reactions from the religious. Yet.
During our online chat, I asked Bruce if any humor-impaired Christians -- the kind of people who took Jesux seriously -- have complained about the Devil-Linux name. "I haven't heard any personally, he said. "I don't doubt it's happened, probably before my time, but I've never asked. If you look at the Web site, there is a paragraph about the name having absolutely nothing to do with the devil, etc. on the introduction page. I don't know if Heiko put that there because of complaints, or to head off complaints that haven't happened yet. I never asked."
Can you "review" software you help develop?
Bruce tried, sort of, on the Kalamazoo Linux Users Group Web site. Believe it or not, he did a reasonably even-handed job. And at the end of the article he admitted that he worked with the Devil-Linux project:
And Bruce's article on the KLUG site is a pretty good place to start learning what you can expect Devil-Linux to do (and not do), and it also gives basic setup instructions to help you make sure the only devil on your network is a friendly one you put there on purpose to protect yourself from evil devils that want to sneak into your network and torment you -- not just on Halloween but 365 days a year.
One of the biggest improvements in the new 1.0 version is a curses-based setup utility that brings GUI-like administration capability to what is otherwise a command line-based, stripped-down distribution. This utility basically does everything necessary to configure Devil-Linux to the level of a "hardware broadband firewall/router," plus a little extra: You can set up two or three network cards; you can configure a standard firewall script with IP-Masquerading/NAT; and you can configure a DHCP server for your internal network.
This addition is primarily the work of Bruce Smith, who has also taken on the task of publicizing Devil-Linux, which has been a low-profile, low-key project until now, with six current developers listed at SourceForge, and fewer than 200 subscribers on its general discussion e-mail list.
In an instant messenger conversation yesterday, Bruce said, "I don't think the membership on the list means much, since I personally use a lot of software that I'm not a member of their mailing lists."
Bruce joined the project in May. It was started in mid-2002 by Heiko Zuerker, who Bruce told us "is still project leader and developer."
Not a desktop distribution
X-window is not part of Devil-Linux. The only way you can browse the Web through it is with Lynx or another text-based browser. But the lack of an X-based graphical desktop is what makes it able to run at a decent speed directly from a CD.
However, Devil-Linux 1.0 can be used as a server. This is functionality in the 1.0 release that was not previously available, but server use requires caution. Bruce says, "I know some people who run services on their firewall because of lack of funds for more PCs, but we don't recommend that because that lessens security."
Another option is to create a virtual server with VMware or a similar utility. Bruce says, "Devil-Linux runs great in VMware. All of the developers use VMware for testing. It saves a LOT of time. You don't even have to burn a CD, just point VMware's CD to the ISO image, and point the floppy to another image (to save the config).
"I don't know of anyone who runs Devil-Linux as a production firewall in VMware, but I don't know why it wouldn't work fine."
No strong reactions from the religious. Yet.
During our online chat, I asked Bruce if any humor-impaired Christians -- the kind of people who took Jesux seriously -- have complained about the Devil-Linux name. "I haven't heard any personally, he said. "I don't doubt it's happened, probably before my time, but I've never asked. If you look at the Web site, there is a paragraph about the name having absolutely nothing to do with the devil, etc. on the introduction page. I don't know if Heiko put that there because of complaints, or to head off complaints that haven't happened yet. I never asked."
Can you "review" software you help develop?
Bruce tried, sort of, on the Kalamazoo Linux Users Group Web site. Believe it or not, he did a reasonably even-handed job. And at the end of the article he admitted that he worked with the Devil-Linux project:
If you've read this far without falling asleep, I need to come clean with you on my current involvement with the Devil Linux distribution.If you need a simple, highly secure, easily-configured firewall/router or simple server that can run on an old/cheap machine (even one of those sub-$25 early Pentium boxes you see at flea markets and garage sales), Devil-Linux seems like it ought to be a (can't ... resist ... pun...) hellishly good choice.
After using (and liking) Devil-Linux 0.5 for a long time, I wanted some software added to the next release, plus I had ideas for improvements in the area of installation and configuration. This motivated me to put my time where my mouth was, so in early 2003 I started writing and contributing code to the developers. In May 2003, I officially joined the Devil-Linux core development team, and I've been working on the soon-to-be released version 1.0 (and 1.1) ever since.
When I wrote this article from the perspective of an independent reviewer, I was not trying to mislead anyone. I was merely trying to tell my story and experiences in my own way. I tried to be as fair as possible, showing the strong points of Devil-Linux, along with the areas that still need improvement.
And Bruce's article on the KLUG site is a pretty good place to start learning what you can expect Devil-Linux to do (and not do), and it also gives basic setup instructions to help you make sure the only devil on your network is a friendly one you put there on purpose to protect yourself from evil devils that want to sneak into your network and torment you -- not just on Halloween but 365 days a year.
Comments
on Devil-Linux 1.0: The (hell)firewallNote: Comments are owned by the poster. We are not responsible for their content.
Well, if you weren't offended and you have such a great sense of humor, I obviously wasn't talking to or about you, was I?<nobr> <wbr></nobr>:)
FYI: Jesux was a fake Linux distro thought up in 1999 by Chris 'pudge' Nandor, a committed Christian (with a great sense of humor) who is my friend and coworker. He is responsible for much of the Perl code behind NewsForge. (Thinking of Perl, Larry Wall also qualifies as "Christian with great sense of humor, doesn't he?)
Also FYI: I "jumped on the Linux bandwagon" in 1997, long before most "non-technical" people considered it a viable desktop OS, and I have used Linux full-time for all my work since 1998. I tend to be a Linux and open source advocate rather than objective, and make no bones about it. However, NewsForge happily runs commentary that espouses multiple viewpoints; if you want to write a piece about how free software ideals and Christian ideals work together, we would be proud to run it. Or another direction is fine, as long as your thoughts are clear and you don't personally insult other readers.
But you'd have to sign your name instead of calling others "clueless" from behind the cloak of anonymity.
In any case, happy Halloween, and thanks for your input!
- Robin
FYI: Jesux was a fake Linux distro thought up in 1999 by Chris 'pudge' Nandor, a committed Christian (with a great sense of humor) who is my friend and coworker. He is responsible for much of the Perl code behind NewsForge. (Thinking of Perl, Larry Wall also qualifies as "Christian with great sense of humor, doesn't he?)
Also FYI: I "jumped on the Linux bandwagon" in 1997, long before most "non-technical" people considered it a viable desktop OS, and I have used Linux full-time for all my work since 1998. I tend to be a Linux and open source advocate rather than objective, and make no bones about it. However, NewsForge happily runs commentary that espouses multiple viewpoints; if you want to write a piece about how free software ideals and Christian ideals work together, we would be proud to run it. Or another direction is fine, as long as your thoughts are clear and you don't personally insult other readers.
But you'd have to sign your name instead of calling others "clueless" from behind the cloak of anonymity.
In any case, happy Halloween, and thanks for your input!
- Robin
Robin,
As the original poster, I have to say that I went too far, and I apologize for the negative personal comments. I shouldn't have personally insulted you. It did nothing to help and it was uncalled for.
Your response was very eloquent, but I notice that nowhere in it do you agree that your comments were offensive or offer any kind of regret or apology that you wrote them. In fact, you are very adept at side-stepping the issue. Parts of your response remind me of the old "some of my best friends are Chrsitians" argument.
It's your right to continue to believe that Christians are narrow-minded, humorless people. I just wish that the part of your message about "as long as [...]you don't personally insult other readers" applied to you as well, because whether it was directed at me personally or not, it was directed at me.
And, just for the record, even if I was a registered user, hiding behind a nickname is not much different than being an anonymous user. I personally refuse to give out my real email address to every web site that requests it. And interestingly enough, I've never had a problem with spam.
Happy Halloween to you to! And a happy All Saints Day tomorrow!<nobr> <wbr></nobr>:-)
As the original poster, I have to say that I went too far, and I apologize for the negative personal comments. I shouldn't have personally insulted you. It did nothing to help and it was uncalled for.
Your response was very eloquent, but I notice that nowhere in it do you agree that your comments were offensive or offer any kind of regret or apology that you wrote them. In fact, you are very adept at side-stepping the issue. Parts of your response remind me of the old "some of my best friends are Chrsitians" argument.
It's your right to continue to believe that Christians are narrow-minded, humorless people. I just wish that the part of your message about "as long as [...]you don't personally insult other readers" applied to you as well, because whether it was directed at me personally or not, it was directed at me.
And, just for the record, even if I was a registered user, hiding behind a nickname is not much different than being an anonymous user. I personally refuse to give out my real email address to every web site that requests it. And interestingly enough, I've never had a problem with spam.
Happy Halloween to you to! And a happy All Saints Day tomorrow!<nobr> <wbr></nobr>:-)
Actually, if you bothered to read carefully, nowhere did he say that Christians are necessarily humourless. That such Christians exist is , however, beyond dispute - just as it is beyond dispute that there are humourless non-Christians.
Perhaps a little remedial reading and comprehension exercise is in order?
Perhaps a little remedial reading and comprehension exercise is in order?
While I understand your point, I still believe that the original tone of his comment was unnecessary and unprofessional. That section of the "review" could have been left out completely without compromising the spirit of the article (Rob, do you think they'll complain because I said "spirit"?)<nobr> <wbr></nobr>:-)
There is nothing wrong with my reading and comprehension (though occassionally my spelling is deficient). In fact, I'm pretty good at also reading between the lines. Maybe you should try it.
Hey, Roblimo's entitled to his opinions. So am I. I guess I'll just stop reading Newsforge. Too much effort for too little return these days.
There is nothing wrong with my reading and comprehension (though occassionally my spelling is deficient). In fact, I'm pretty good at also reading between the lines. Maybe you should try it.
Hey, Roblimo's entitled to his opinions. So am I. I guess I'll just stop reading Newsforge. Too much effort for too little return these days.
What would probably be the best tack for you--at this point--would be to turn off the computer and ask yourself some probing questions as to why you were offended by Roblimo's remarks. It obviously touched on a raw nerve, and that's something that is--most properly--under your exclusive control.
I really found nothing wrong with the tone of his remarks, and found therein a bit of a humorous context. In certain humorless circles (Christian or otherwise), the Jesix spoof *was* blown out of proportion.
While he *could* have omitted what seems to have gotten under your skin, leaving things like that in give a bit more multidimensionalism to what might otherwise be a monochromatic write-up. His including it is by no means unprofessional, and your insistence that he was somehow wrong in that would tend to undermine your position.
Maybe this is an outgrowth of what the "Dr. Spock Generation" of Americans have been teaching their children for the past two decades--what amounts to "If somebody offends you, it's your duty to shout them down for it." Maybe it isn't, and just amounts to a petulant streak. Maybe someday I'll actually care what the root of it is.
Personally, I'm sick of watching people attempt to make everyone, who has something to say, tip-toe around on PC eggs. The Internet is the last place to insist upon PC language.
Maybe it's time to grow a thicker skin and move on?
I really found nothing wrong with the tone of his remarks, and found therein a bit of a humorous context. In certain humorless circles (Christian or otherwise), the Jesix spoof *was* blown out of proportion.
While he *could* have omitted what seems to have gotten under your skin, leaving things like that in give a bit more multidimensionalism to what might otherwise be a monochromatic write-up. His including it is by no means unprofessional, and your insistence that he was somehow wrong in that would tend to undermine your position.
Maybe this is an outgrowth of what the "Dr. Spock Generation" of Americans have been teaching their children for the past two decades--what amounts to "If somebody offends you, it's your duty to shout them down for it." Maybe it isn't, and just amounts to a petulant streak. Maybe someday I'll actually care what the root of it is.
Personally, I'm sick of watching people attempt to make everyone, who has something to say, tip-toe around on PC eggs. The Internet is the last place to insist upon PC language.
Maybe it's time to grow a thicker skin and move on?
I too am a Christian and wish to support this thread.
The article's statement of, "During our online chat, I asked Bruce if any humor-impaired Christians -- the kind of people who took Jesux seriously -- have complained about the Devil-Linux name" was out of line.
This comment was completely un-called for and adds nothing to the review of this distro. After reading reviews for EvilEntity Linux there was no mention of any religion and it should have been the case for Devil-Linux.
I hope the editors of this web-mag are reading and filter future personal opinions towards other religions. This is a technical magazine related to open source, not someone's personal soap box.
Thank you.
The article's statement of, "During our online chat, I asked Bruce if any humor-impaired Christians -- the kind of people who took Jesux seriously -- have complained about the Devil-Linux name" was out of line.
This comment was completely un-called for and adds nothing to the review of this distro. After reading reviews for EvilEntity Linux there was no mention of any religion and it should have been the case for Devil-Linux.
I hope the editors of this web-mag are reading and filter future personal opinions towards other religions. This is a technical magazine related to open source, not someone's personal soap box.
Thank you.
>I hope the editors of this web-mag are reading and
>filter future personal opinions towards other
>religions.
i don't see opinions towards any other religion.
>filter future personal opinions towards other
>religions.
i don't see opinions towards any other religion.
I don't think he was making an attack on christians in general. If I'm not mistaken he was referring to any narrow minded christians. Much like one would refer to loud dogs vs quiet dogs. "Have you heard that those loud dogs down the street?"
Does that read to you that all the dogs down the street are loud? If it does you have an issue with critical thinking skills. All it means is those dogs which are loud down the street, irregardless there may be quiet dogs down the street. Political correctness is so over rated. ^_^ Then again I'm a zen buddhist, so the comment didn't bother me one way or the other. Glee.
Does that read to you that all the dogs down the street are loud? If it does you have an issue with critical thinking skills. All it means is those dogs which are loud down the street, irregardless there may be quiet dogs down the street. Political correctness is so over rated. ^_^ Then again I'm a zen buddhist, so the comment didn't bother me one way or the other. Glee.
Our friend Anonymous Reader is suffering from a crisis in faith or the evangeical equivalent of an inferiority complex. It is a mean comment I have just made, but when people of his stripe start making the comment " I'm a Christian. ", I place my hand on my wallet and start to worry about which area of free speech in the US is about to be eroded away. He may say what he wishes. I would fight and die to protect his right to free speech; I doubt he would reciprocate. I am<nobr> <wbr></nobr>,however, not required to respect the content or intent of his speech.
Roblimo remembers freshman composition from college well. He thought SOAP and used SOAP.
Subject, Occasion, Audience, and Purpose are key elements in any composition.
SUBJECT == Easy to configure, secure firewall
Occasion == Web news site
Audience == Linux newbies, IT Managers, Home users, Power users suffering from sloth.
Purpose == Inform and entertain
Think very seriously about the sort of people interested in this distro. Not Devil worshipers, we'll leave that for the BSD crowd (<nobr> <wbr></nobr>;) - my niece thinks freeBSD has the cutest logo), but people concerned about having a secure system and who do not neccessarily have the skill needed to construct the sort of system this distro provides. Some of us are just too busy or suffer from sloth and find this distro a godsend that simplifies our lives and saves copious amounts of time. I liked 0.5 and I can't wait to download 1.0 for a try.
Roblimo remembers freshman composition from college well. He thought SOAP and used SOAP.
Subject, Occasion, Audience, and Purpose are key elements in any composition.
SUBJECT == Easy to configure, secure firewall
Occasion == Web news site
Audience == Linux newbies, IT Managers, Home users, Power users suffering from sloth.
Purpose == Inform and entertain
Think very seriously about the sort of people interested in this distro. Not Devil worshipers, we'll leave that for the BSD crowd (<nobr> <wbr></nobr>;) - my niece thinks freeBSD has the cutest logo), but people concerned about having a secure system and who do not neccessarily have the skill needed to construct the sort of system this distro provides. Some of us are just too busy or suffer from sloth and find this distro a godsend that simplifies our lives and saves copious amounts of time. I liked 0.5 and I can't wait to download 1.0 for a try.
"I place my hand on my wallet and start to worry about which area of free speech in the US is about to be eroded away."
Then the next time a Jehovah's Witness comes to your door,listen. They have been won various freedoms related to speach and worship in 37 separate victories in the US Supreme court. They won another one last year. And, while they will be glad to carry a voluntary donation back to their Kingdom Hall, if you were to visit that KH in person you would not be asked, in any way, shape or form, to contribute.
Leave your wallet<nobr> <wbr></nobr>... and your predjudices<nobr> <wbr></nobr>... at home and come worship Jehovah with us.
Rob<nobr> <wbr></nobr>... your friend isn't much of a Christian if he stoops to that sort of parody. I don't think you gave your assertion of his faith much thought. Imagine if that make-believe distro had been called "Roblimosux" and then your 'friend' had called to borrow a twenty dollars to renew the domain name. If he's any sort of a Christian, he's counting on Jesus for something a whole lot more important than twenty bucks.
Look at it another way. Would you ridicule your employer the morning of review day? Christians are keenly aware that every day is review day.
Then the next time a Jehovah's Witness comes to your door,listen. They have been won various freedoms related to speach and worship in 37 separate victories in the US Supreme court. They won another one last year. And, while they will be glad to carry a voluntary donation back to their Kingdom Hall, if you were to visit that KH in person you would not be asked, in any way, shape or form, to contribute.
Leave your wallet<nobr> <wbr></nobr>... and your predjudices<nobr> <wbr></nobr>... at home and come worship Jehovah with us.
Rob<nobr> <wbr></nobr>... your friend isn't much of a Christian if he stoops to that sort of parody. I don't think you gave your assertion of his faith much thought. Imagine if that make-believe distro had been called "Roblimosux" and then your 'friend' had called to borrow a twenty dollars to renew the domain name. If he's any sort of a Christian, he's counting on Jesus for something a whole lot more important than twenty bucks.
Look at it another way. Would you ridicule your employer the morning of review day? Christians are keenly aware that every day is review day.
Like it or not, even a ROM (CD or other read-only memory) based installation can be cracked into, if there are vulnerabilities in the running software. Is there a mechanism for providing updates and security patches when vulnerabilities are uncovered in the included software?
Yeah, but hit the reset button and the crack is gone from the router. If the crack made it past the router that is another matter. And hopefully you have a duel firewall system if you want rings of security.
You can update (with some work) by rebuilding the ISO and burn a new CD. There are instructions for doing so. But I believe they provide a new ISO in such an event.
You can update (with some work) by rebuilding the ISO and burn a new CD. There are instructions for doing so. But I believe they provide a new ISO in such an event.
Which really has nothing to do with anything. The point being, even if the system is hacked, you can restore it back to it's pre-hack state by simply rebooting.
A problem with hacks is that you often have no idea what's been hacked. This puts you back at square one with the knowledge that you're not running a hacked/trojaned version of anything. Once you're back at square one, you can start figuring out what bug allowed the penetration, updating as needed.
The down side is, unless the log files are persistient, it makes it much harder to figure out what happened.
Having everything run from RO media really is considered a security plus. It greatly minimizes the damage that can occur, in the event a hack is discovered. Not to mention, it can make it harder to come up with a valid hack which can compromise the attached network(s).
A problem with hacks is that you often have no idea what's been hacked. This puts you back at square one with the knowledge that you're not running a hacked/trojaned version of anything. Once you're back at square one, you can start figuring out what bug allowed the penetration, updating as needed.
The down side is, unless the log files are persistient, it makes it much harder to figure out what happened.
Having everything run from RO media really is considered a security plus. It greatly minimizes the damage that can occur, in the event a hack is discovered. Not to mention, it can make it harder to come up with a valid hack which can compromise the attached network(s).
The point being, even if the system is hacked, you can restore it back to it's pre-hack state by simply rebooting.
Actually, while that's true, it doesn't change the fact that the underlying vulnerability that caused the box to get hacked in the first place is still burned into the CD. You reboot, they re-hack (if that's such a word). The only real option is to update the CD as vulnerabilities are found.
At least it buys you some time to look into the situatation. And in a home application, boot the darn thing every day until you burn a new CD.
I'd like to thank the DL team for their good work. I gave it a try and I like it.
In fact, it made a good school project for some kids to learn how to build a computer and router to protect their virus engine Windblows boxes on a budget. Granted, you can go and pick up a Linksys or something like it cheap these days but that was not the point of the exercise.
In fact, it made a good school project for some kids to learn how to build a computer and router to protect their virus engine Windblows boxes on a budget. Granted, you can go and pick up a Linksys or something like it cheap these days but that was not the point of the exercise.
The correct name you are looking for is "X" or "The X Window System". "X Window" makes no sense.
Or, more accurately, X11?
I don't have a problem with the name
Posted by: Anonymous Coward on October 31, 2003 11:18 PMHe also frequently shows his bias against people that believe differently than he does - as is evidenced by his "humor-impaired Christians" remark.
Hey, Roblimo, I've been a Linux user since 1993. I'm a Christian. I've got a great sense of humor, don't take offense easily to such things. I'm quite intelligent and tolerant of people who believe differently than I do.
It does really bug me, however, when people try to make themselves out to be something they aren't (like Linux experts or objective journalists).
#