Author: Paul Virijevich
Both projects include quite a bit of functionality for a diskette-based distro:
- A firewall based on iptables
- Network address translation (NAT) for Internet connection sharing
- Dial-up and Point-to-Point over Ethernet (PPOE) support
- Built-in DHCP server
- Built-in caching DNS server
floppyfw
floppyfw comes in two versions. One supports only dial-up, the other adds PPOE support for cable and DSL connections. You can install both versions from either Linux or Windows. Windows users will need to use Rawrite or WinImage to copy the image to a diskette. Linux users installing the dial-up version can use the dd
command:
dd if=floppyfw-current.img of=/dev/fd0
For the PPOE version, Linux users must run the superformat
command first to allow an image larger than 1.4 MB to fit on the floppy. Use:
superformat /dev/fd0u1680
dd if=floppyfw-current-pppoe.img of=/dev/fd0
Configure the application for your environment by editing the file config
located in the root directory. This file contains your network information and controls all of floppyfw’s functionality.
For example, to enable DHCP, change the setting:
DHCP_DAEMON=n
to
DHCP_DAEMON=y
and change the parameters
DHCP_RANGE_START=10.42.42.100
DHCP_RANGE_END=10.42.42.200
to meet your network’s requirements.
By default, floppyfw allows outgoing connections established by computers inside the network. Unsolicited connections to your firewall are blocked. This setup has the advantage of not accidentally blocking traffic that internal users depend on. At the same time, however, it allows spyware or trojan horse programs to make it past the firewall, since it trusts all outgoing connections. You can eliminate this problem by setting fine grained-access controls with iptables statements in the file firewall.ini.
One way to do this is to set your firewall to drop all packets. This makes for a very secure and very useless firewall. To fix this problem, you need to specify which outgoing and incoming connections to allow. Here is an example that allows email to be retrieved from a POP3 server:
iptables -A INPUT -i $OUTSIDE_DEVICE -p tcp --sport 110 -j ACCEPT
iptables -A OUTPUT -o $OUTSIDE_DEVICE -p tcp --dport 110 -j ACCEPT
The $OUTSIDE_DEVICE parameter is your Internet interface and is automatically set by floppyfw. Incoming packets with a source port (--sport
) of 110 and outgoing packets with a destination port (--dport
) of 110 can now traverse the firewall. Without this rule, the default policy is followed and the packets are dropped.
You should consider the above example pseudocode. You must make other changes in firewall.ini for this to work (at the minimum disabling outgoing connections and a rule allowing DNS lookups). For more information on iptables, visit netfilter.org.
Coyote Linux
Coyote Linux is good alternative to floppyfw. You can install Coyote Linux using its boot disk creation tool under either Linux or Windows. This program asks all of the questions necessary to set up your firewall. When you’re finished answering, you place a diskette in the drive and press Enter. In about a minute, your diskette is ready for use.
Coyote Linux includes a menu-based interface for local administration. Coyote provides both SSH and a Web-based interface for remote administration. You will probably spend most of your time with the Web-based interface. It allows you to:
- Check the status of your firewall
- Configure LAN and Internet settings
- Configure firewall rules
- Configure port-forwarding
- Enabled and disable DHCP and DNS caching
- Enable and disable Quality of Service(QoS)
- Back up the system
- Reboot the system
By default, Coyote Linux provides the same level of protection as floppyfw. To set up a more restrictive firewall, use the Web-based administration tool or add your iptables rules to /etc/coyote/firewall.
What the future holds
The days of the diskette are slowly but surely coming to an end. Both floppyfw and Coyote Linux have found ways to avoid dying along with it.
You can run either from a CD-ROM. Floppyfw provides an ISO image along with instructions on how to customize the CD for your environment. To run Coyote Linux from a CD, you have to use an add-on creates a diskette first, which you then customize and use to create your CD image. The problem with the CD approach, however, with either program, is that configuration changes you make to the running firewall will not survive a reboot.
Both projects also have add-ons that let you run the firewall from a hard drive. This approach lets configuration changes survive a reboot, but a hard drive is another potential point of failure, and requires more electricity and adds heat (the dreaded enemy of stability) to the system.
Both projects support this via an IDE-to-CompactFlash adapter or a USB pen drive. Running the firewall from flash memory allows configuration changes to survive a reboot and eliminates the possibility of a drive failure. It also allows you to run as many add-ons as you like.
Both applications are extensible via add-on packages that offer everything from print servers to ad-blocking. You can use as many add-ons as you have diskette space. Add-ons for floppyfw can be found on its homepage. A great third-party resource for Coyote Linux add-ons is Claudio’s Coyote Page.
Which one is right for you?
Both floppyfw and Coyote Linux provide adequate protection for home or small office use. So which is right for you?
Floppfw takes a minimalist approach that requires you to understand iptables in order to customize it. Its lack of remote administration could be seen as an advantage for both resource-constrained and security-conscious users. Running SSH or a Web server takes up memory and processor resources that could be used to support more users. It is also one less source of potential vulnerabilities. Those familiar with Linux and command-line administration will feel right at home with floppyfw.
Coyote Linux shines when it comes to ease of use. The disk creation program is easy to install on both Linux and Windows. The Web-based administration interface makes changing firewall settings a breeze. Add-on packages are also easy to install; in most cases, you just copy the file to the diskette and reboot. If you do not have much Linux experience, or if you just prefer graphical administration, Coyote Linux makes more sense for you.
The next time someone asks you when you’re going to throw out all that old computer junk, tell them how open source software can give old hardware new life. You can turn that old hardware into an IP-masquerading, network address-translating, Linux-based firewall on a floppy.
Paul Virijevich is working to eliminate the “Linux consultants cost more” TCO myth. He recently started a consultancy providing cost-effective, open-source solutions to small businesses.
Category:
- Security