Re: Should I propose a Debian Firewall?
"Rene Mayrhofer" wrote:
> I am very interested in your selection of daemons and tools that
> are needed on a firewall. Maybe we can share some ideas in this
> area.
I'll forward you some notes and maybe a tarball or two when
I get a chance in the next couple of days. I'd be glad to have
someone else's opinion. I don't claim to be an expert on this
sort of thing, so don't laugh too hard if I've made any really
dumb mistakes.
I looked over the Linux Router Project before I started on this,
but I found that what I really wanted was something even simpler.
My aim was to build up little single floppy systems that are
almost 'psuedo embedded' in the sense that they have no interactive
login or need for persistent storage. The kernels are tiny, no
devices except the ram disk, serial, ethernet, and ppp or lp if
needed. I elected to include math emulation so I don't have to
worry about 'SX' machines, but the only filesystems needed are
minix and proc.
I elected to leave out modules entirely except where absolutely
necessary (such as with ip_masq_*) in order to simplify things. I then
just started with inittab and worked my way up from there using ldd
and lsof to find the minimal set of binaries and libraries I needed
to get to the point where the needed services are running. I did away
entirely with the conventional startup system (to make it easier for me
to understand) and condensed the whole thing down to two scripts;
'startup.sh' and 'services.sh'. I know it probably seems crazy, but I
also eliminated everything having to do with shutdown since there's
nothing persistent anyway. Just cycle the power if you need to
restart. 8^)
I am probably going to experiment with adding a minimal syslogd/klogd
to allow real logging either to a remote host or by mounting a hard
drive partition onto /var. This will of course require ide drive
support and probably ext2 since I think minix filesystems are limited
to a max of 65MB. I guess I'd have to have a real shutdown and do
some tidying up beforehand as well.
The bootable disks are built by creating an image of the root
filesystem you want in a directory on a real Linux box and then
using a couple of scripts to pack it into an initrd.gz image and
write it onto a floppy with syslinux and your chosen kernel. It's
also easy to test these on your main box (hardware permitting) by
just adding an entry to your lilo.conf to boot your test kernel and
initrd.
My first purpose was to be able to provide single floppy
'crash recovery' disks for remote sites so that if they have a
catastrophic failure of a critical machine like a dhcp server they
can just grab a spare box, put in the floppy, and turn it on. I
also wanted to produce a system small enough that I could get
the whole thing in my head at once and understand exactly what
happens and what pieces are needed from kernel loading through to
the login prompt.
__________________________________________________
Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one place.
Yahoo! Shopping: http://shopping.yahoo.com
Reply to: