March 8, 2002

Dancing with the Devil (the Devil-Linux firewall, that is)

Author: JT Smith

One of the really beautiful features of Open Source software is the
ability to customize the software for very particular purposes. One such
special-purpose customization is Devil-Linux, a Linux
distribution built for lightweight firewalls.

Now, there are several Linux firewall products available, including the
Mitel SME Server (formerly E-Smith Firewall and Gateway reviewed
on NewsForge
last year), but Devil-Linux approaches the problem a bit
differently. Where the Mitel product is focused on ease of installation
and administration, the Devil-Linux offering is much more techie in its
configuration.

But the main feature of Devil-Linux is intriguing: It is designed to
install without the use of a hard drive. The operating system requires
the use of a CDROM and a write-protected floppy. The CDROM provides the
operating system, and the floppy provides the configuration information,
via a tarball that is unpacked into the /etc directory. In this way, the
system is fully configurable, yet the running system has no writeable
device.

Why is this helpful? If the system is compromised, it is impossible to
install a stealth root kit. This means that a simple reboot will ensure
that any compromising software has been removed.

But that's only half the equation. Any sysadmin worth his salt will point
out that reloading the same software that was cracked is just re-arming a
time bomb. If it was cracked once, it will be cracked again.

If it was a matter of a poor choice of security settings, you will need to
edit the selections you made and recreate the floppy. If a software kit
is at fault and Devil-Linux has already upgraded it, you will need to
download a new CDROM ISO image from the Web site. If no patch is available
yet, you will need to unpack the ISO image onto another machine, install a
corrected executables from another source, and then rebuild and reburn the
ISO image. The last option is not exactly kid stuff, but security doesn't
always come with a candy coating.

Project background

The project's Web page points out that the naming of Devil-Linux does not
have any religious significance. In a move reminiscent of the naming of
Linux (where the person maintaining the FTP download site named the
project after Linus Torvalds), a friend of the project leader suggested
naming the project after a picture on the leader's T-shirt: a BSD-like
Daemon.

Devil-Linux is a working firewall, but it is still at version 0.5b5, so it
is still very much a work in progress. According to the Web page,
additional capabilities are still on the drawing board, such as HTTP and
FTP servers and an intrusion detection system. But for now, it is a
functional firewall based on the Linux-from-Scratch project using a 2.4
kernel with a number of usable components.

Configuring the system

Setup is not for the total novice, but it does not require extensive
expertise, either. You will need to be acquainted with basic sysadmin
skills for a Linux system. If you can create tarballs and edit
the configuration files normally kept in /etc, you should be ok.

The Web page at http://www.devil-linux.org/ does include reasonable
documentation. It does not talk you through every edit of the config
files, but it certainly gives you a good outline of the process of setting
up this system. Having a copy of the short but informative documentation
handy is advisable. It is included in the download kit.

First, you will need to download and burn a copy of the Devil-Linux ISO
image. It's a straightforward operation if you have burned your own ISO
images onto CDs before.

Once you have burned the CD, untar the file etc.tar.gz into a directory on
your system. Yes, you will need to perform this action on a system other
than that to be used as the firewall, because the configuration
takes place before you ever boot the firewall.

The documentation suggests editing at least these files:

etc/resolv.conf
etc/sysconfig/config
etc/sysconfig/software
etc/sysconfig/nic/ifcfg-*

The information you will need to supply is precisely what you would
expect. You will need to specify the drivers to use for each of the
network cards as well as the normal network parameters. (IP address,
netmasks, DNS server addresses, etc.)

You will also choose which services to start on the firewall. These
services include such things as PPP, IPsec, SSH, Bind, PPPoE, DHCP, PPTP,
LDAP, and SNMP. Configuration of most of these services is
straightforward for a moderately experienced administrator.

Some normal configuration options are notable by their absence. There
is no need to configure sound cards or define X Windows parameters. As a
dedicated server, Devil-Linux has no need for such things. And that
simplifies the setup process greatly.

Once you have set up the configuration files, you will need to recreate
the /etc tarball and place it on a DOS-formatted floppy disk. Once you
have copied the file onto the floppy, set the write-protect tab on the
diskette. This will prevent any crackers from potentially modifying the
configuration information.

Execution

This is the one point where the beta-ness of the code showed up. I had
two first-generation Pentium boxes that absolutely refused to boot the
Devil-Linux kernel. Normally, you can boot straight from the CD, but you
have the option of booting from a DOS floppy if your machine is old enough
not to support booting from CDs. Unfortunately, neither technique worked.
An error was reported from the ISOLINUX module. However, several other
machines I own booted just fine, including a 486 and an Athlon box.

Once the system begins booting, it will check to see if the needed floppy
disk has been inserted into the machine. If not, it will noisily remind
you to insert the disk. Once the disk is inserted, the machine finishes
booting.

That's it. Pretty simple.

Because my normal firewall box was one of the Pentium boxes that refused
to boot up, I could not test the firewall quite as extensively as I
normally would have. However, the test box seemed to perform its
function well, keeping to a lean-and-mean firewall concept. It started
the daemons it required, and not much else. Just what the doctor ordered.

Modifications

If you need to patch or enhance the system for your needs, there is a
short but helpful document that describes how you can easily recompile
and rebuild the distribution. This could be quite helpful for creating
highly tailored firewalls, if needed.

As I mentioned earlier, Devil-Linux is still in development. This means
that there is still room for improvements and enhancements. If you find
that this project fits your needs, or at least comes close, you might want
to contribute to the development process. I'm sure that the development
team would welcome the help.

Summary

Devil-Linux is a nice little firewall that could have a bright future. It
is not suitable for every occasion (especially in places without a
sysadmin handy), but I don't doubt that many technical people will find
places to employ this project. If you want a tight little firewall that
only does what you want it to, check out Devil-Linux.

Categories:

  • Distributions
  • Linux
  • Reviews
  • Devil-Linux
Click Here!