Re: Building Debian firewall
Befoer you do too much reinventing of the wheel, you might want to look more
closely at some of the existing "small Linux" distributions that are geared
to floppy-based routers/firewalls. The Debian-derived ones I know of are:
Linux Router Project -- www.linuxrouter.org -OR-
lrp.c0wz.com
LEAF -- leaf.sourceforge.net
Though derived from Debian (Slink), they now depart from it quite a bit,
mainly for these reasons:
the Debian packaging standards require inclusion of a lot
of stuff inappropriate to floppy-based systems
(e.g., man pages and other documentation)
the Debian base relies on apps that are unsuited for
single-purpose, one-floppy quasi-embedded
systems (e.g., Perl)
single-floppy systems require aggressive minimalization of
libraries. glibc-2.1 is still too big (though
people are working on shrinking it), so these
distribiutions still rely on glibc-2.0, and there
is interest in moving to uClibc when it is a bit
more polished.
These (related, BTW) distributions mostly ship as floppy images, with images
available that match common setups (including a nice one for NAT'd
DSL/PPPoE), along with a simplified (compared to .deb or .rpm) packaging
system for adding in desired features. The complexities of routing
requirements -- even if the internal network is always Ethernet, the
external can be Ethernet (to a DSL or cable modem), DS-1 (via a Cyclades
card, for example), ondinary PPP dialup, DSL with PPPoE ... and those are
just the common choices in the USA ... add to that various NAT'ing
possibilities and the possible use of a DMZ -- make the task of designing
and implementing a simple "router/firewall-construction-kit" a somewhat
daunting challenge.
Still, the support system for these existing distributions isn't as slick as
what you envision ... the addition of a source for the "latest security
fixes" would be a real step forward, but the manpower for this seems to be
lacking (thought LEAF is better here than official LRP, since it does have
more active developers). Addressing this gap -- either in the context of a
new distribution, if you and others have that much energy, or as part of an
existing project -- sounds like a great idea. Because the embedded-libraries
requirement introduces the need for separate compilation of apps for a
compact distribution of this sort, I don't know if there is a gain from
piggybacking this onto the stock Debian distribution system or not.
There are other router/firewall distributions too, mostly derived from Red
Hat. I have only a passing familiarity with them, but the usual sorts of
searches should turn them up. I doubt they handle the security-update issue
any better, though.
At 12:53 PM 5/28/01 +0200, Andreas Tille wrote:
>On Sun, 27 May 2001, Kirk Schroeder wrote:
>
>> I also understand the minimalist approach I am currently using a Linux
>> Router based product. The reason I want to use a debian based firewall
>> is the easy use of apt-get to upgrade security update and the flexibility
>> of adding intrusion detection and other security based products to my
firewall.
>I also will have to install a 486 box as firewall/router. I'd like to
>set up it diskless and just boot it from a single floppy. This would
>avoid using apt-get.
>My idea is that we could perhaps build a "router/firewall-construction-kit"
>package: Having the latest security fixes installed on a master host a
>floppy image with kernel and all the necessary stuff could be build if there
>are any security fixes automatically and dd-ed to a disk. Than the router
>just needs to be rebootet. No need for any fsck or anything else. No
>wast of energy for spinning harddisks and no additional noise of the box.
>
>Does somebody think that such a Debian-based router/firewall-construction-kit
>would be possible. I'm a bloody beginner in this field.
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA ray@comarre.com
----------------------------------------------------------------
Reply to: