[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building Debian firewall

Befoer you do too much reinventing of the wheel, you might want to look more
closely at some of the existing "small Linux" distributions that are geared
to floppy-based routers/firewalls. The Debian-derived ones I know of are:

        Linux Router Project -- www.linuxrouter.org -OR-

        LEAF -- leaf.sourceforge.net

Though derived from Debian (Slink), they now depart from it quite a bit,
mainly for these reasons:
        the Debian packaging standards require inclusion of a lot
                of stuff inappropriate to floppy-based systems 
                (e.g., man pages and other documentation)
        the Debian base relies on apps that are unsuited for 
                single-purpose, one-floppy quasi-embedded
                systems (e.g., Perl)
        single-floppy systems require aggressive minimalization of
                libraries. glibc-2.1 is still too big (though 
                people are working on shrinking it), so these
                distribiutions still rely on glibc-2.0, and there
                is interest in moving to uClibc  when it is a bit
                more polished.

These (related, BTW) distributions mostly ship as floppy images, with images
available that match common setups (including a nice one for NAT'd
DSL/PPPoE), along with a simplified (compared to .deb or .rpm) packaging
system for adding in desired features. The complexities of routing
requirements -- even if the internal network is always Ethernet, the
external can be Ethernet (to a DSL or cable modem), DS-1 (via a Cyclades
card, for example), ondinary PPP dialup, DSL with PPPoE ... and those are
just the common choices in the USA ... add to that various NAT'ing
possibilities and the possible use of a DMZ -- make the task of designing
and implementing a simple "router/firewall-construction-kit" a somewhat
daunting challenge.

Still, the support system for these existing distributions isn't as slick as
what you envision ... the addition of a source for the "latest security
fixes" would be a real step forward, but the manpower for this seems to be
lacking (thought LEAF is better here than official LRP, since it does have
more active developers). Addressing this gap -- either in the context of a
new distribution, if you and others have that much energy, or as part of an
existing project -- sounds like a great idea. Because the embedded-libraries
requirement introduces the need for separate compilation of apps for a
compact distribution of this sort, I don't know if there is a gain from
piggybacking this onto the stock Debian distribution system or not.

There are other router/firewall distributions too, mostly derived from Red
Hat. I have only a passing familiarity with them, but the usual sorts of
searches should turn them up. I doubt they handle the security-update issue
any better, though.

At 12:53 PM 5/28/01 +0200, Andreas Tille wrote:
>On Sun, 27 May 2001, Kirk Schroeder wrote:
>> I also understand the minimalist approach I am currently using a Linux
>> Router based product. The reason I want to use a debian based firewall
>> is the easy use of apt-get to upgrade security update and the flexibility 
>> of adding intrusion detection and other security based products to my
>I also will have to install a 486 box as firewall/router.  I'd like to
>set up it diskless and just boot it from a single floppy.  This would
>avoid using apt-get.
>My idea is that we could perhaps build a "router/firewall-construction-kit"
>package:  Having the latest security fixes installed on a master host a
>floppy image with kernel and all the necessary stuff could be build if there
>are any security fixes automatically and dd-ed to a disk.  Than the router
>just needs to be rebootet.  No need for any fsck or anything else.  No
>wast of energy for spinning harddisks and no additional noise of the box.
>Does somebody think that such a Debian-based router/firewall-construction-kit
>would be possible.  I'm a bloody beginner in this field.

------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        

Reply to: