Re: Building Debian firewall
On Mon, 28 May 2001, Ray Olszewski wrote:
> Befoer you do too much reinventing of the wheel, you might want to look more
> closely at some of the existing "small Linux" distributions that are geared
> to floppy-based routers/firewalls. The Debian-derived ones I know of are:
I know these distributions and will have a look at them, if time comes.
> Though derived from Debian (Slink), they now depart from it quite a bit,
> mainly for these reasons:
> the Debian packaging standards require inclusion of a lot
> of stuff inappropriate to floppy-based systems
> (e.g., man pages and other documentation)
> the Debian base relies on apps that are unsuited for
> single-purpose, one-floppy quasi-embedded
> systems (e.g., Perl)
To make it clear: I really don't want to build a new Debian based
distribution. I'm interested in a set of scripts which build a floppy disk
image using some configuration files (for DSL, ISDN, PPP or what else) which
is ready to run as router. For sure this disk image has no man pages or
perl and this stuff.
> single-floppy systems require aggressive minimalization of
> libraries. glibc-2.1 is still too big (though
> people are working on shrinking it), so these
> distribiutions still rely on glibc-2.0, and there
> is interest in moving to uClibc when it is a bit
> more polished.
Well, so this router building package has to depend from the glibc which
is apropriate for single floppy disk router.
> These (related, BTW) distributions mostly ship as floppy images, with images
> available that match common setups (including a nice one for NAT'd
> DSL/PPPoE), along with a simplified (compared to .deb or .rpm) packaging
> system for adding in desired features. The complexities of routing
> requirements -- even if the internal network is always Ethernet, the
> external can be Ethernet (to a DSL or cable modem), DS-1 (via a Cyclades
> card, for example), ondinary PPP dialup, DSL with PPPoE ... and those are
> just the common choices in the USA ... add to that various NAT'ing
> possibilities and the possible use of a DMZ -- make the task of designing
> and implementing a simple "router/firewall-construction-kit" a somewhat
> daunting challenge.
But this is the point: How can I ship a certain set of images for those
different environments. So why not build a chrooted mirror of the floppy
image do the necessary configuration stuff and then build the image.
This enables security fixes, easy configuration changes, backup, etc ...
> Still, the support system for these existing distributions isn't as slick as
> what you envision ... the addition of a source for the "latest security
> fixes" would be a real step forward, but the manpower for this seems to be
> lacking (thought LEAF is better here than official LRP, since it does have
> more active developers). Addressing this gap -- either in the context of a
> new distribution, if you and others have that much energy, or as part of an
> existing project -- sounds like a great idea. Because the embedded-libraries
> requirement introduces the need for separate compilation of apps for a
> compact distribution of this sort, I don't know if there is a gain from
> piggybacking this onto the stock Debian distribution system or not.
I have to admit that I havn't dealt with this subject before but if I would
have time I would go the way I wanted to describe.