Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Two floppy-based firewalls
Share
Print
CommentsBoth projects include quite a bit of functionality for a diskette-based distro:
- A firewall based on iptables
- Network address translation (NAT) for Internet connection sharing
- Dial-up and Point-to-Point over Ethernet (PPOE) support
- Built-in DHCP server
- Built-in caching DNS server
floppyfw
floppyfw comes in two versions. One supports only dial-up, the other adds PPOE support for cable and DSL connections. You can install both versions from either Linux or Windows. Windows users will need to use Rawrite or WinImage to copy the image to a diskette. Linux users installing the dial-up version can use the dd command:
dd if=floppyfw-current.img of=/dev/fd0
For the PPOE version, Linux users must run the superformat command first to allow an image larger than 1.4 MB to fit on the floppy. Use:
superformat /dev/fd0u1680
dd if=floppyfw-current-pppoe.img of=/dev/fd0
Configure the application for your environment by editing the file config located in the root directory. This file contains your network information and controls all of floppyfw's functionality.
For example, to enable DHCP, change the setting:
DHCP_DAEMON=n
to
DHCP_DAEMON=y
and change the parameters
DHCP_RANGE_START=10.42.42.100
DHCP_RANGE_END=10.42.42.200
to meet your network's requirements.
By default, floppyfw allows outgoing connections established by computers inside the network. Unsolicited connections to your firewall are blocked. This setup has the advantage of not accidentally blocking traffic that internal users depend on. At the same time, however, it allows spyware or trojan horse programs to make it past the firewall, since it trusts all outgoing connections. You can eliminate this problem by setting fine grained-access controls with iptables statements in the file firewall.ini.
One way to do this is to set your firewall to drop all packets. This makes for a very secure and very useless firewall. To fix this problem, you need to specify which outgoing and incoming connections to allow. Here is an example that allows email to be retrieved from a POP3 server:
iptables -A INPUT -i $OUTSIDE_DEVICE -p tcp --sport 110 -j ACCEPT
iptables -A OUTPUT -o $OUTSIDE_DEVICE -p tcp --dport 110 -j ACCEPT
The $OUTSIDE_DEVICE parameter is your Internet interface and is automatically set by floppyfw. Incoming packets with a source port (--sport) of 110 and outgoing packets with a destination port (--dport) of 110 can now traverse the firewall. Without this rule, the default policy is followed and the packets are dropped.
You should consider the above example pseudocode. You must make other changes in firewall.ini for this to work (at the minimum disabling outgoing connections and a rule allowing DNS lookups). For more information on iptables, visit netfilter.org.
Coyote Linux
Coyote Linux is good alternative to floppyfw. You can install Coyote Linux using its boot disk creation tool under either Linux or Windows. This program asks all of the questions necessary to set up your firewall. When you're finished answering, you place a diskette in the drive and press Enter. In about a minute, your diskette is ready for use.
Coyote Linux includes a menu-based interface for local administration. Coyote provides both SSH and a Web-based interface for remote administration. You will probably spend most of your time with the Web-based interface. It allows you to:
- Check the status of your firewall
- Configure LAN and Internet settings
- Configure firewall rules
- Configure port-forwarding
- Enabled and disable DHCP and DNS caching
- Enable and disable Quality of Service(QoS)
- Back up the system
- Reboot the system
By default, Coyote Linux provides the same level of protection as floppyfw. To set up a more restrictive firewall, use the Web-based administration tool or add your iptables rules to /etc/coyote/firewall.
What the future holds
The days of the diskette are slowly but surely coming to an end. Both floppyfw and Coyote Linux have found ways to avoid dying along with it.
You can run either from a CD-ROM. Floppyfw provides an ISO image along with instructions on how to customize the CD for your environment. To run Coyote Linux from a CD, you have to use an add-on creates a diskette first, which you then customize and use to create your CD image. The problem with the CD approach, however, with either program, is that configuration changes you make to the running firewall will not survive a reboot.
Both projects also have add-ons that let you run the firewall from a hard drive. This approach lets configuration changes survive a reboot, but a hard drive is another potential point of failure, and requires more electricity and adds heat (the dreaded enemy of stability) to the system.
Both projects support this via an IDE-to-CompactFlash adapter or a USB pen drive. Running the firewall from flash memory allows configuration changes to survive a reboot and eliminates the possibility of a drive failure. It also allows you to run as many add-ons as you like.
Both applications are extensible via add-on packages that offer everything from print servers to ad-blocking. You can use as many add-ons as you have diskette space. Add-ons for floppyfw can be found on its homepage. A great third-party resource for Coyote Linux add-ons is Claudio's Coyote Page.
Which one is right for you?
Both floppyfw and Coyote Linux provide adequate protection for home or small office use. So which is right for you?
Floppfw takes a minimalist approach that requires you to understand iptables in order to customize it. Its lack of remote administration could be seen as an advantage for both resource-constrained and security-conscious users. Running SSH or a Web server takes up memory and processor resources that could be used to support more users. It is also one less source of potential vulnerabilities. Those familiar with Linux and command-line administration will feel right at home with floppyfw.
Coyote Linux shines when it comes to ease of use. The disk creation program is easy to install on both Linux and Windows. The Web-based administration interface makes changing firewall settings a breeze. Add-on packages are also easy to install; in most cases, you just copy the file to the diskette and reboot. If you do not have much Linux experience, or if you just prefer graphical administration, Coyote Linux makes more sense for you.
The next time someone asks you when you're going to throw out all that old computer junk, tell them how open source software can give old hardware new life. You can turn that old hardware into an IP-masquerading, network address-translating, Linux-based firewall on a floppy.
Paul Virijevich is working to eliminate the "Linux consultants cost more" TCO myth. He recently started a consultancy providing cost-effective, open-source solutions to small businesses.
Comments
on Two floppy-based firewallsNote: Comments are owned by the poster. We are not responsible for their content.
Devil Linux too! Floppy on Security Steroids.
Posted by: Anonymous Coward on March 14, 2005 07:54 PMI used Electronic floppy drive in the past that this same firewall system will run on today.
From the "old equipment closet"... Anyway, a while ago, when Citrix's OS/2 ICA thin client computing solution, "Mutli-User" product, first came out the multi-user/multi-tasking server was running on a MS-OS/2 OS. Yep this was back in the very early 1990's when Citrix first rolled out their first version of their product line, even before they later became a remote solution for Novell networks and changed their product name. I had a customer that had to have computers in places where there was no heat and very cold winters. So- I got some 386's (used), some big 19" IBM Monochrome Monitors (refurb/used for cheap), and built and sold the first IBM/OS2 Citrix ICA client terminal device (no patent but I got prior art in the closet). How did I know I built the first ICA client device, well, because there were none for sale, and Citrix had no clue about this direction because their product was so new and they were so small. I used a writable ROM ISA card (used mostly for putting in factory floor machines to run knids of repeating motion manufacturing machine and early robotic stuff) that had a switch on the back of the ICA card (exposed to outside for easy access) that allowed two settings. One setting is when you wrote to it, the card was seen by the system and was writable as drive C: (or other hard drive). Then, when you had written DOS to it, and moved your ICA Citrix Client to the DOS, you then shut down the machine. Flipped the switch on the ISA ROM card to the second setting, and it became a READ-ONLY forced by hardware option. The floppy drive emulation found in this non-writable electronic floppy, was seen by any system that you put it in as A: , so it could be booted first. The ICA DOS client ran, and up on the screen from the server came the login and a fully functional DOS prompt and you wrote batch files for application menus, etc from there. It was fast, very compatible MS-OS/2 with all DOS applications and it did not have moving parts in the drive that would become a problem with the very cold weather (expansion and contraction of the tracks on the media was a problem with the cold back then). The Citrix client booted up via ICA into the 2-4 MB of RAM on the 386 system delivering Platinum Accounting software, WordStar, and other DOS applications to the users. All this was centrally controled and worked very fast. The various accounting software folks moved their support over to Windows so we ran the Citrix windows 3.11 on top of the MS-OS2 on the same terminals. However, when NT 3.51 showed up, the same terminals worked. It was when the Application folks required a fully operational Windows network that this was taken out and replaced with something that was SO SLOW and was a step back from the thin client solution on a very fast server system ((486 and early 586 - I had once server I built with SCSI Raid and dual Pentium 75's). Windows on a network is a waste of bandwidth and time. When the first customer I built this for was forced to migrate from his thin client system by the application upgrades to the accounting system, that would not support the thin client model, I took back as junk most of the system that was built. It will still run today.
Today, we see Citrix having competition from LTSP, Tarantella, NoMachine NX servers that will allow one to do the same as what I built a long time ago now. Citrix I still like to recommend. Microsoft I don't (their license model is wrong for the thin client package and they over charge). Microsoft's traditional networking solution was designed to defeat Novell and it was a step backwards (until they forced Citrix to sell them the Terminal Server technology for NT4). Then, they took years to get Office to work and install easily on their terminal server.
Anyway, the FireWalls above could use these very same ICA cards and not even use the floppy. You gotta love Linux as it brings a use again to some hardware that we put in use close to 15 years ago. Boy do I have a closet (now 3 climate controlled 20 by 20 rooms). I just can't throw anything away.
#