Devil-Linux distro bundles router/firewall and server in one live CD

Devil-Linux might sound hellish for a Linux distribution, but this live CD offers many blessings for your server needs. Originally developed as a router/firewall distribution, Devil-Linux has expanded its functionality to include nearly every service that a server might offer. It can function as an LDAP server, a VPN server, an email or file server, and more.

As stated in the documentation, Devil-Linux runs directly from a CD or DVD-ROM only, so you don’t need to install anything to a hard disk — just keep the Devil-Linux configuration files that automate the configuration upon reboot on a diskette or USB drive. Since access to the live CD is read-only, it’s impossible to install rootkits or other malicious software to the distribution.

Devil-Linux uses the Linux From Scratch (LFS) build system, which means you can customize the distribution easily. The latest version is 1.2.15, which runs on an old kernel 2.4.36.6, but with mostly updated router, firewall, and server services. Devil-Linux uses the usual iptables and Netfilter firewalls to create rules and open source services that can support routing protocols such as Routing Information Protocol (RIP), Border Gateway Protocol (BGP), and Open Shortest Path First (OSPF). It supports Internet Protocol version 6 (IPv6) by including the necessary services, and it features a firewall builder tool to aid in setting up the firewall policies. For improved security, it also includes the grsecurity patch to protect the distribution’s kernel.

In addition to its router/firewall functionalities, Devil-Linux includes services for server functionalities such as the Samba file server, Apache HTTP server, and the Postfix mail server. However, Devil-Linux is designed to be lightweight, so don’t expect a graphical interface or support for X Window System. Don’t worry about the lack of a graphical interface, though, because graphical scripts can help you configure the distribution. The man pages for each program are also helpful.

In addition to being able to boot from CD-ROM, you can optionally install Devil-Linux on a bootable USB flash drive with the script install-on-usb, provided in the Devil-Linux download.

Devil-Linux doesn’t need a hard disk for the installation, but if your machine has one, you can dedicate the hard disk for other purposes, such as file server storage. The lightweight design reduces the distribution’s requirements — a minimum configuration needs only an Intel 486 processor, 32MB of RAM, an IDE or SCSI CD-ROM drive, a diskette drive or USB with flash drive support, and a 10/100 network interface card (NIC). In practice, the minimal hardware requirement depends on the server applications you intend to run, but for a simple router/firewall setup, the minimum requirement should be sufficient. That means you can reuse old machines for this distribution.

Dancing with the devil

To use Devil-Linux, download the latest version (a 220MB .tar package) and extract the contents to a folder. The contents include the distribution ISO image, some predefined configuration files and scripts, and an HTML help document. Burn the image to a CD/DVD and boot it on your machine. I used a virtual machine environment running on a 2.6GHz CPU with an allocated 512MB of memory and 10GB of hard disk space. I tested using both a diskette and USB drive to store the configuration.

The simple boot menu only offers options to set the screen resolution or to run the Memtest86+ tool if you want to first test the memory. During the boot process, Devil-Linux detects the presence of diskette and USB drives. If a configuration file is already present on your drives, it will load the configuration automatically; if not, it will load the default configuration. If it finds no diskette or USB disk, it will ask if it can continue without using any media to save the configuration information.

Once the boot process is complete you’re presented with a login prompt. Use the username “root” without any password to enter the console.

On my initial boot of Devil-Linux, I changed the root password, set up the network configuration, and started the necessary router/firewall, gateway, and server services, including Samba, MySQL, Snort, IPSEC VPN, and OpenVPN. For easy configuration, you can use the setup command to enter the graphical configuration. Inside the configuration, you can change the root password and edit network details such as the hostname, the IP addresses, and the domain. To set up the NIC, you must first choose the appropriate NIC module from the module list for your network card to load properly. The developers of the distribution could improve this step by detecting the NIC automatically instead of requiring that you select it manually. For my environment, I have two NICs: one for the WAN connection and the other for the LAN. I configured the static address of each NIC and enabled the Dynamic Host Configuration Protocol (DHCP) service on the LAN NIC. I also configured some parameters for the DHCP server, including the IP range of the DHCP pool, the DNS servers, and the domain.

Devil-Linux includes many services that you can enable, including services for Asymmetric Digital Subscriber Line (ADSL) connection, Internet Protocol Security (IPSec), virtual private network (VPN), and Point-to-Point Tunneling Protocol (PPTP) connection. You get intrusion detection services such as Snort, spam filters such as SpamAssassin, network monitors like Nagios, Lightweight Directory Access Protocol (LDAP), MySQL, and other server-related services. To reduce hardware requirements and security vulnerabilities, choose only the services you require; the more services you enable, the more ports and possible vulnerabilities will be exposed. After you select all the services you need, go back to the main configuration menu and save the configuration to a diskette or USB disk.

In my case, I enabled the firewall services iptables and Netfilter, and the firewall builder and routing protocol services RIP, OSPF, and BGP. I also enabled the DHCP service, Snort, ntop, Multi Router Traffic Grapher (MRTG), Secure Shell (SSH), and Secure Sockets Layer (SSL). Finally, I enabled Samba so I could easily transfer configuration files or other packages I wanted to use inside the distribution to the Devil-Linux local hard disk. You could also utilize the Samba functionality by installing a BitTorrent client inside the distribution and managing the client remotely via a Web interface. Further documentation is available online if you need help setting up the distribution.

I tested most of the router and firewall functionalities by testing VPN functionality using OpenVPN. The VPN was able to connect and the networks on each end of the VPN tunnel could communicate, meaning that both routing and the VPN worked. I also tried to access the private network from outside, using a computer from another network segment, and, since the define rules on the firewall didn’t allow access from outside the network, the outside segment couldn’t access the private network. I used the firewall builder to configure iptables, and it worked as intended. For simple monitoring of the Devil-Linux box performance, I used ntop and MRTG.

Conclusion

Devil-Linux offers many features, including WLAN support, network monitoring tools, and different VPN connections, but it’s hard to configure without configuration scripts. Unfortunately, only the setup configuration script, which can configure network and some firewall settings and enable the services, is readily available. Most of the services you need to configure manually using the configuration files. If the service itself traditionally includes scripts, configuration might be a little easier, but I didn’t find any scripts from Devil-Linux itself that could be used to configure services, and the documentation doesn’t talk about any scripts for specific services. If you’re experienced with the services included in Devil-Linux, this distribution should suit your needs. You can use Devil-Linux to set up a low-end PC to do router and firewall tasks, offer automated BitTorrent download capability, store files, and access them easily using Samba.

Overall, Devil-Linux can be useful for many applications, as long as you understand how to use and configure the services within the CLI environment. If you don’t want to spend time configuring files or executing CLI commands, look for other distributions with graphical environments; such as the upcoming GUI addition for Vyatta Community Edition 4.