Tuesday, March 13, 2007

Build a Floppy Firewall
Here's how to turn an unused PC into a packet-filtering firewall using a package called floppyfw. The firewall boots off a single floppy, runs completely in RAM, and uses ipchains for the filter rules. It also does IP masquerading, port forwarding, and can log to a remote host using syslog. All this in a machine with as little as 8 MB of RAM and no hard drive!

It is a Linux "screening router with firewall capabilities". It boots a Linux kernel and comes with a minimal set of tools to get the job done. If you think about it, that's actually a feature. If a bad guy were to get into your firewall machine somehow, there won't be much for him to use against you. And since we're running completely on a RAM disk, a simple reboot from the floppy will restore the system to its original state.

As with many Linux projects, floppyfw has a do-it-yourself aspect. But I'll show you where I found a set of almost-ready-to-run filter rules, so you can quickly set up your own firewall.

You probably have a suitable machine sitting around (or enough parts to build one). You will need a 386 or better, with:
At least 8-MB RAM
3.5" floppy drive
Video card
video monitor

Note that if you're going to run "headless", you'll only need the keyboard and monitor for setup and testing.

Install a pair of network cards. The following types are supported by floppyfw:
3Com 3c509
NE2000 compatibles
Intel EtherExpress PCI

Make sure each card has its own IRQ and memory address. That's simple to set if your network cards have jumpers on them. I used a pair of 3Com 3c509 cards. The first time I booted the machine, both cards came up at IRQ 10 and 0x300. I fixed that problem using a DOS utility from 3Com called 3C5X9CFG.EXE. Make a bootable DOS floppy, copy the utility onto it, and (with both cards installed) run it. Select a card, then auto-configure to have it choose a new IRQ and memory address. Do this for both cards, and remember to save the new settings. I found 3C5X9CFG.EXE on EtherDisk 4.3; the newest EtherDisk is available on the 3Com Web site: http://www.3com.com.

Making the floppyfw boot floppy is simple. Download the latest stable image from:
(As of this writing, 1.0.5 is the current image). Then write the image to a floppy:
# dd if=floppyfw-1.0.5.img of=/dev/fd0 bs=72k

This floppy disk is in DOS (FAT) format. Before you can boot it, you'll need to take it to some other machine and edit the config files. I prefer to use Linux mtools, like this:
$ cd /tmp
$ mcopy a:config
$ vi config
$ mcopy config a:

If you need to use another operating system, I understand you can edit these files with NotePad.
There are actually five floppyfw configuration files:
config (main configuration)
firewall.ini (filter rules)
modules.lst (additional ip_masq modules)
syslinux.cfg (kernel boot parameters)
syslog.cfg (syslog config, such as /etc/syslog.conf)

You probably won't need to touch syslinux.cfg or modules.lst at all. So I'll discuss the main file, config. In the interest of clarity, I've stripped out most of the comments. Most of the values are fairly obvious anyway, except maybe for the switches near the end of the file:
OPEN_SHELL controls shell access (/bin/ash) at the console. If your machine has less than 12MB of RAM, set ONLY_8M to "y". USE_SYSLOG determines whether syslogd runs or not, and SYSLOG_FLAGS are the flags passed to syslogd when it does start.

Listing 1 contains my config file. By the way, I wasn't able to get DHCP to work with my cable provider. They seem to have some funky, non-standard DHCP server. Instead, I set things up as if I had a static IP address. It's been working for two years without a problem. Your mileage may vary.

Filter Rules:
Now, let's have a look at firewall.ini. The original file that floppyfw comes with only sets up basic masquerading and rejects a couple of ports. Because we're building a firewall, we need to modify it. However, creating a comprehensive set of filter rules can be a big job. Logically, we want to close off all the ports and only create openings for services we want to use. I was relieved to find that most of this work has already been done by someone else.

I started with the ipchains example file from Robert L. Ziegler's Web site:
Ziegler is also the author of Linux Firewalls (New Riders Publishing, ISBN: 0735709009). His rules are very well commented, explaining in detail what each set is intended to do. When I actually needed to open ports, these comments were invaluable.
The ipchains rules I started with are available here:

I recommend reading through the entire file first; you don't want to use it as is! There are even some sections with alternative paragraphs, marked with the word "OR". One or the other of the paragraphs is meant to be used, but not both. To activate a section, simply uncomment it.
With a file this large and a limited amount of space on the floppy disk, it might be useful to delete the sections you think you will never use. Of course, it's probably also wise to keep a spare original around just in case. Once you've got a working configuration written to floppy, you should make a few copies of that too, in case the original wears out.

The firewall.ini provided in Listing 2 is one I've modified for floppyfw. To avoid making too many global edits and possibly damaging one or more rules, I made some simple variable substitutions near the top of the file, passing values from floppyfw variables into the appropriate variables used by Ziegler. In a few cases, when there wasn't a handy variable to use, I set the value directly.

Listing 2 should give you an idea what I did to open ports to allow clients on my internal network to access the usual essential services: DNS, SMTP, POP, NNTP, TELNET, SSH, FTP, HTTP, and WHOIS. Note that I typically wouldn't have opened the POP port, but I use fetchmail to retrieve mail from a remote provider. If you're nervous about someone snooping your mail while it's being pulled down, fetchmail has a neat feature that lets you first establish an SSH connection and then download your mail over that. In that case, you wouldn't need to open the POP port.

If you use the default syslog.cfg file, floppyfw will very happily log everything to the console. I run my firewall machine headless (i.e., without a monitor or keyboard), so that wasn't very useful to me. I want to analyze the log to keep an eye on what's happening.

So, I set up one of my internal Linux machines as a log host. To do this, make sure that your log host starts syslogd with the -r option to allow it receive messages over the network. (On a Red Hat system, for example, you'll need to edit /etc/rc.d/init.d/syslog). Then, set up your syslog.cfg, making sure to change the to your log host's IP address. See Listing 3 for syslog.cfg.

Once you've got these few files configured and written to the floppy, you can boot up from the floppy and test some things. Make sure your internal machines can all talk to each other. Also, check whether you can access each external service for which you've opened a port. Keep an eye on /var/log/messages if you're logging remotely or on the firewall console screen if you're not. These should provide clues as to what's working. You may need to fine tune your firewall rules a bit. Just be sure to write any changes back to the floppy, or they'll be lost.

Do keep an eye on your log file. When you finally put your firewall into service, you might be surprised to see how many people are doing port scans and other strange things. Isn't it nice to have a firewall?