Re: Should I propose a Debian Firewall?

To: Rene Mayrhofer <rene.mayrhofer@vianova.at>
Cc: debian-firewall@lists.debian.org
Subject: Re: Should I propose a Debian Firewall?
From: "Michael W. Shaffer" <mwshaffer@yahoo.com>
Date: Mon, 29 Nov 1999 09:58:02 -0800 (PST)
Message-id: <[🔎] 19991129175802.26563.rocketmail@web205.mail.yahoo.com>

"Rene Mayrhofer" wrote:
> I am very interested in your selection of daemons and tools that 
> are needed on a firewall. Maybe we can share some ideas in this 
> area.

I'll forward you some notes and maybe a tarball or two when 
I get a chance in the next couple of days. I'd be glad to have
someone else's opinion. I don't claim to be an expert on this 
sort of thing, so don't laugh too hard if I've made any really 
dumb mistakes. 

I looked over the Linux Router Project before I started on this, 
but I found that what I really wanted was something even simpler. 
My aim was to build up little single floppy systems that are 
almost 'psuedo embedded' in the sense that they have no interactive 
login or need for persistent storage. The kernels are tiny, no 
devices except the ram disk, serial, ethernet, and ppp or lp if 
needed. I elected to include math emulation so I don't have to
worry about 'SX' machines, but the only filesystems needed are 
minix and proc.

I elected to leave out modules entirely except where absolutely 
necessary (such as with ip_masq_*) in order to simplify things. I then 
just started with inittab and worked my way up from there using ldd
and lsof to find the minimal set of binaries and libraries I needed 
to get to the point where the needed services are running. I did away 
entirely with the conventional startup system (to make it easier for me 
to understand) and condensed the whole thing down to two scripts; 
'startup.sh' and 'services.sh'. I know it probably seems crazy, but I
also eliminated everything having to do with shutdown since there's
nothing persistent anyway. Just cycle the power if you need to 
restart.  8^)

I am probably going to experiment with adding a minimal syslogd/klogd 
to allow real logging either to a remote host or by mounting a hard 
drive partition onto /var. This will of course require ide drive 
support and probably ext2 since I think minix filesystems are limited 
to a max of 65MB. I guess I'd have to have a real shutdown and do
some tidying up beforehand as well.

The bootable disks are built by creating an image of the root 
filesystem you want in a directory on a real Linux box and then 
using a couple of scripts to pack it into an initrd.gz image and 
write it onto a floppy with syslinux and your chosen kernel. It's 
also easy to test these on your main box (hardware permitting) by 
just adding an entry to your lilo.conf to boot your test kernel and 
initrd.

My first purpose was to be able to provide single floppy 
'crash recovery' disks for remote sites so that if they have a 
catastrophic failure of a critical machine like a dhcp server they 
can just grab a spare box, put in the floppy, and turn it on. I 
also wanted to produce a system small enough that I could get 
the whole thing in my head at once and understand exactly what 
happens and what pieces are needed from kernel loading through to 
the login prompt.

__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com

Reply to:

Prev by Date: Re: Should I propose a Debian Firewall?
Next by Date: Re: Should I propose a Debian Firewall?
Previous by thread: Re: Should I propose a Debian Firewall?
Next by thread: Newbie Question
Index(es):
- Date
- Thread