Domain: steinkuehler.net
Stories and comments across the archive that link to steinkuehler.net.
Comments · 20
-
Why reinvent the wheel?
It might earn you geek points by doing up the 2.6 kernel to create a floppy bootable solution but whats the point?
There are many well tested and feature rich solutions out there that it really just seems like re-inventing the wheel.
http://people.freebsd.org/~picobsd/picobsd.html
http://lrp.steinkuehler.net/ -
Re:APT
>your point is moot since *all* Linux distributions come with *several* browsers and several hundred other programs pre-installed
All of them including LEAF/LRP?
Or did you just mean "all of them that meet the criteria that I just said that all of them meet"?
-
Linux Router Project
For a firewall sitting between my LAN and my cable modem, I use LRP. Runs on anything from a 486 upwards, off a floppy. Once you've finished configuring the floppy (takes between 5 mins and 3 hours, depending on how experienced you are with Linux and networking), you can simply write-protect it, and you have a completely uncrackable system. If someone breaks into it, just reboot the computer and it'll load everything back into ramdisk. It can also act as a dhcp and dns server. Check hereand here for documentation.
-
Linux Router Project
For a firewall sitting between my LAN and my cable modem, I use LRP. Runs on anything from a 486 upwards, off a floppy. Once you've finished configuring the floppy (takes between 5 mins and 3 hours, depending on how experienced you are with Linux and networking), you can simply write-protect it, and you have a completely uncrackable system. If someone breaks into it, just reboot the computer and it'll load everything back into ramdisk. It can also act as a dhcp and dns server. Check hereand here for documentation.
-
Re:Summary of mentioned firewalls, and a question
Linux firewalls and NAT routers were able to handle FTP and IRC at least as far back as the 2.0.x series kernels, using kernel modules that I assume basically forced state tracking on these types of connections. Other modules handle all the other major protocols like this (e.g. RealAudio).
LEAF/LRP/Dachstein do so automatically. I assume most if not all of the others you cite do so as well.
So, to answer your question, the answer is "no". Lack of support for connection tracking is indeed unacceptable. But 2.0.x and 2.2.x have tracking after all, at least where it matters. -
Re:LRP "sold out" ?
I wrote what was once widely appreciated as the most useful howto for using LRP. It is now woefully out of date, and I recommend Eigerstein or Dachstein, which are so well-designed that they don't need that kind of detailed documentation.
I can shed a little more light on the middle-recent history of LRP and LEAF. Two years ago, LRP was indeed the center of all linux floppy firewall/router activity. However, people were starting to innovate, and Dave Cinege (who owns the domain name) never seemed to find the time to update his own work or incorporate that of others. It was a running joke on the mailing list. It would not have been much work for Dave to at least put up links to the sites documenting and extending LRP, but it never seemed to happen.
For a while, linuxrouter.sourceforge.net (now changed to leaf.sourceforge.net) was a repository of all the extra work. Before that everything had been on a crazy collection of obscure personal websites (like mine).
Dave promised major updates to LRP, and then gave up on LRP and decided a completely new, cool project was necessary. This was around the time Tim McVeigh was executed, which Dave considered the murder of a hero or prisoner of war. Without getting into politics or morality, I merely note that it was the last straw for many people, who made a complete split and formed LEAF. I presume it was the rancor behind this split that keeps Dave from mentioning LEAF on his website.
Unfortunately, if you type "linux router" into Google, LEAF shows up way down the list -- maybe 20th.
IMHO, the people working on LEAF are dedicated and impressive. It remains far and away the best floppy-based router/firewall available. It is certainly the most actively maintained. -
Summary of mentioned firewalls, and a questionIt looks like a lot of the Linux-based firewalls I've seen recommended here use ipchains with the 2.2 kernel instead of iptables with the 2.4 kernel. As far as I understand, this would mean they can't do connection tracking for things like FTP and IRC. Here's what I'm able to figure out so far...
Firewalls using iptables with 2.4.x kernel:
- Astaro Security Linux: kernel 2.4.x
- BBIAgent: kernel 2.4.13
- ClarkConnect: iptables, kernel 2.4.9-31 (RH 7.2)
- Trinux: iptables, kernel 2.4.x (Slackware)
Firewalls using ipchains with 2.2.x kernel:
- Coyote Linux: kernel 2.2.19
- IPCop: kernel 2.2.x
- LEAF/LRP/Dachstein: kernel 2.2.19
- Mandrake SNF: kernel 2.2.19
- Smoothwall: kernel 2.2.19
Firewalls using ipfwadm with 2.0.x kernel:
My question is, isn't it best to use an iptables-based firewall on a 2.4.x kernel instead of an ipchains- or ipfwadm-based firewall on a 2.2.x or 2.0.x kernel? I definetely want the connection tracking capabilities in the 2.4.x kernel, especially for screwy things like FTP, IRC, etc. (Yes, I know there is an IRC connection tracking patch out now for 2.4 kernels...) Is a kernel that doesn't support connection tracking for firewalls a reasonable option these days? -
Re:LRP "sold out" ?
linuxrouter.org is no longer the center of "Linux-firewall-on-a-floppy" development. It's been seldom updated for several years now; the only important thing on it being the mailing list. The site even apologizes for its own lack of maintenance: Unfortunately most all of the LRP docs at this site are painfully out of date. The LRP still is the basis of most Linux floppy distros, albiet heavily modified.
Instead of linuxrouter.org, the real hotbed of development these days is the LEAF site, LEAF standing for Linux Embedded Appliance Firewall. The steinkuehler.net site you mentioned is a part of LEAF, hosting the Eiger/Dachstein distributions. Unfortunately the linuxrouter.org project doesn't point the way to LEAF. I only found out about it by following the mailing lists.
Ian -
LRP is still alive
LRP hasn't sold out. Check out http://lrp.steinkuehler.net. The latest version is only 3 months old, and comes in CD form.
-
Re:LRP "sold out" ?The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.
Was there any reason for this possibly very damaging statement?
Yeah, because at the linked site:
- There have been no releases since 0.9.8 on 12 Sep 2000 (a year and a half).
- The only news since then has been three seperate sponsers (Cyclades, VA, and Sangoma). It's not clear what the money is being used for.
- The mailing list archives, give 404s on the -devel list. Only the users list seems to be active.
- The "unstable" directory on the site contains only (besides the 0.9.8 release) a few kernel patches made to 2.2.19 in July of 2001.
On the other hand, this site seems quite active. I'm not sure what their relationship is.
-
Do It With A 486
-
LRP
The linux router project is one of the best sources of info on getting that old 486 to work as a router. I had mine running fine until about two months ago when I was able to get a Netgear router for $30 (easier for parents as I was leaving for college).
See www.linuxrouter.org for more information.
Steinkuehler's EigerStein was the distro I used - worked very well.
-Doughnuthole -
Re:consumer preferenceSo, what's the bug number for the report you filed with them, so that they can fix it? I'd like to try it again after the fix is done, and to do that, I need to track the bug's progress through Sun.
Good luck. I searched for "report bug" and "report StarOffice bug" and didn't find anything. I went to the StarOffice main page and looked for a bug reporting link; also nothing. I went to three different StarOffice FAQs, but none of them had any questions relating to how to report bugs. I looked at the patches page and found some bug numbers, but they were just static text with no links to the bug reports. If there's a bug reporting feature, they've hidden it pretty well.
Very good turn back! I'm impressed. You took what was described as the startup time, replied to as the startup time, and compared it to TCO, thus turning me into the fool. I AM impressed.
I'm not sure what wasn't clear when I was comparing costs of GCC to those of CodeWarrior. I was talking about compile speed, which is a TCO factor, not a startup cost factor. GCC has a lower up-front cost but a much higher TCO.
Dealing with a commercial, closed source vendor, you don't have any leverage (unless you've got deep pockets) to get any particular bug fixed.
All depends on the vendor. In my experience most commercial software vendors are pretty good at fixing major bugs reported by their customers. OTOH, lots of open source developers complain about their fixes for open source bugs being stonewalled -- there have been some notable
/. threads on the subject.The other thing usability design takes, which you neglect to mention, is users. More importantly, users who will tell you why your design sucks or is great. Those are in even shorter supply than money for the OS community (heck, from the money aspect, we've got IBM, Sun, HP, etc, trying to help out). But users who will provide feedback about the interface? Go find me five of them, and I'll be shocked.
I do it all the time. It's part of my job as user experience lead. The answer is, you pay them, or you pay a recruiting firm to find them and pay them. It's not free, and so it doesn't fit into the free software development model.
So, I await word on how your non-programmer, non-admin father (or wife) got along with the Linux Router configuration.
My dad? He got me to install it. But he knew he needed one. My wife? Won't go near the computer anymore, hates it because I use it too much.
Good thing you did it -- they wouldn't have been able to. I took a look at Free Linux-based Floppy-Boot Firewall, which is supposedly easy.
This disk image is very easy to use. See the step-by-step instructions for detailed directions.
Then you go to the instructions. They're six pages long, they use a command line (which lets out your wife and your dad right there), and they're full of non-human-readable stuff like:
Uncomment the module(s) needed for your ethernet card(s). All modules listed in the file are already on your LRP disk. If you are using ne.o, ne2k-pci.o, or e2100.o, you will also need to uncomment 8390.o
Yeah, that's really easy -- for a UNIX system administrator, that is. It's not for ordinary mortals. It shares that with almost all the open source software in the world. that's why, contra the claim in the article, consumers don't prefer open source.
Tim
-
Re:consumer preferenceSo, what's the bug number for the report you filed with them, so that they can fix it? I'd like to try it again after the fix is done, and to do that, I need to track the bug's progress through Sun.
Good luck. I searched for "report bug" and "report StarOffice bug" and didn't find anything. I went to the StarOffice main page and looked for a bug reporting link; also nothing. I went to three different StarOffice FAQs, but none of them had any questions relating to how to report bugs. I looked at the patches page and found some bug numbers, but they were just static text with no links to the bug reports. If there's a bug reporting feature, they've hidden it pretty well.
Very good turn back! I'm impressed. You took what was described as the startup time, replied to as the startup time, and compared it to TCO, thus turning me into the fool. I AM impressed.
I'm not sure what wasn't clear when I was comparing costs of GCC to those of CodeWarrior. I was talking about compile speed, which is a TCO factor, not a startup cost factor. GCC has a lower up-front cost but a much higher TCO.
Dealing with a commercial, closed source vendor, you don't have any leverage (unless you've got deep pockets) to get any particular bug fixed.
All depends on the vendor. In my experience most commercial software vendors are pretty good at fixing major bugs reported by their customers. OTOH, lots of open source developers complain about their fixes for open source bugs being stonewalled -- there have been some notable
/. threads on the subject.The other thing usability design takes, which you neglect to mention, is users. More importantly, users who will tell you why your design sucks or is great. Those are in even shorter supply than money for the OS community (heck, from the money aspect, we've got IBM, Sun, HP, etc, trying to help out). But users who will provide feedback about the interface? Go find me five of them, and I'll be shocked.
I do it all the time. It's part of my job as user experience lead. The answer is, you pay them, or you pay a recruiting firm to find them and pay them. It's not free, and so it doesn't fit into the free software development model.
So, I await word on how your non-programmer, non-admin father (or wife) got along with the Linux Router configuration.
My dad? He got me to install it. But he knew he needed one. My wife? Won't go near the computer anymore, hates it because I use it too much.
Good thing you did it -- they wouldn't have been able to. I took a look at Free Linux-based Floppy-Boot Firewall, which is supposedly easy.
This disk image is very easy to use. See the step-by-step instructions for detailed directions.
Then you go to the instructions. They're six pages long, they use a command line (which lets out your wife and your dad right there), and they're full of non-human-readable stuff like:
Uncomment the module(s) needed for your ethernet card(s). All modules listed in the file are already on your LRP disk. If you are using ne.o, ne2k-pci.o, or e2100.o, you will also need to uncomment 8390.o
Yeah, that's really easy -- for a UNIX system administrator, that is. It's not for ordinary mortals. It shares that with almost all the open source software in the world. that's why, contra the claim in the article, consumers don't prefer open source.
Tim
-
Re:20-40 hours??
You're right.. it is rusty
:) .. NP.
Corrected EigerStein LRP link here
-- -
Re:20-40 hours??My html is really rusty. Here's the link to the EigerStein LRP implementation:
http://lrp.steinkuehler.net/DiskImages/Eiger/Eige
r Stein2BETA.htm -
Re:Firey balls of broadbandWhy don't broadband companies invest a few more dollars (offer to thier customers at a discount) good cable or DSL modems that have built-in routers with a bit of security.
I'm really not sure that I want the cable company deciding on what security policy is appropriate for my home network. Either it's going to be worthless and do something boneheaded like not block 139 or it's going to be so tight that I can't take advantage of the fact that I have a fast connection with a pretty much static IP address. I want to be able to have ports 22 and 80 open if I decide that I want that functionality. I want to be able to host my own e---------ma il domains if I decide that I want to do that. I want to be able to set up my own NAT box and set policies in the way that I see fit. I really don't believe that that's going to happen if the cable company sets things up for me.
What people need to start realizing is that an always on broadband connection to their home is a completely different ball game than any connection through AOL. The only hope I see at this point for broadband being useful to
/.ers and for general users is if the market really does become open and we start to have real choice in ISPs with broadband. That way we can have ISPs like FlexNet for those of us who just want a raw internet pipe with none of the extras and AOL for those who want their online experiencefiltered down and spoon fed to them.
________________
They're - They are
Their - Belonging to them -
@home DHCP == !SecurityThe worst thing (or possibly the best, depending on how you look at it) about the @home service is that they don't even use the DHCP server to change your IP address on occasion. The DHCP server is just there to make it easier for the incompetent tech when he comes to your house to fuck^H^H^H^Hset up your computer. From a DHCP provides security standpoint this is a bug. I tend to think of it as a feature; I know my IP address.
The skill level of some of these techs is really poor too. When I first got @home a few months ago they sent a tech out to my place. I didn't want to let him near my Linux box (don't think that he would have touched it anyway) and intead let him do his setup thing on my girlfriend's mac. He had a really hard time with that, and we're talking MacOS here not some really oddball alternate OS. Not a chance in hell these guys know what they're doing enough to properly secure machines. I don't trust them any further than I can throw them
What I do think is quite good is an LRP firewall. Charles Steinkuehler has one that I have found to be quite easy to setup and quite secure on his web site. It's really nice to be able to boot the whole router machine from a write protected floppy and know that if someone does start to mess with it you're only a reboot away from a system w/o any root kits left behind by some k1ddy. Also included are a DHCP server, NAT, and port forwarding. Well worth checking out.
________________
They're - They are
Their - Belonging to them -
Multi Port 100MB Firewall w/ DMZ Support
Let me first issue a caveat. Cheap is in the eye of the beholder.
That said, I think the solution is here. Find any old preferable Pentium based box with at least 2 PCI slots, and some Trendnet 4 port 10/100 hub pci card kits w/ a single port 10/100 card and a 15 cable ($79 incl. shipping) and there you have it. Bridge the 2 hub cards and use whatever other nics you want and have room for. Use the Linux Router Project Eiger based version. Here's a link to an image w/ DNS caching, dhcpd, dhcpcd (if you need it), some web based reporting. This guy already did the hard part for you. Just add the rtl8139 module to it and follow the directions to run it headless (easy to do). Yes, tulip based cards have less latency but these work well.
Your total investment should be under $300 for a 16 MB firewall, with 8 port hub, fast ethernet on the DMZ and WAN side, etc. Pick a system like a decent clone or the Dell Optiplex that doesn't need keyboard, mouse and monitor hooked up. I'm using a similar configuration for building infrastructure in office buildings. And it works well.
-
Multi Port 100MB Firewall w/ DMZ Support
Let me first issue a caveat. Cheap is in the eye of the beholder.
That said, I think the solution is here. Find any old preferable Pentium based box with at least 2 PCI slots, and some Trendnet 4 port 10/100 hub pci card kits w/ a single port 10/100 card and a 15 cable ($79 incl. shipping) and there you have it. Bridge the 2 hub cards and use whatever other nics you want and have room for. Use the Linux Router Project Eiger based version. Here's a link to an image w/ DNS caching, dhcpd, dhcpcd (if you need it), some web based reporting. This guy already did the hard part for you. Just add the rtl8139 module to it and follow the directions to run it headless (easy to do). Yes, tulip based cards have less latency but these work well.
Your total investment should be under $300 for a 16 MB firewall, with 8 port hub, fast ethernet on the DMZ and WAN side, etc. Pick a system like a decent clone or the Dell Optiplex that doesn't need keyboard, mouse and monitor hooked up. I'm using a similar configuration for building infrastructure in office buildings. And it works well.