Slashdot Mirror
Bootable CDROM-based Firewalls?
DNapalm asks: "I work at a small local ISP that is in desperate need of a firewall. We don't have much of a budget, so a hardware-based solution (which I'd prefer) really isn't an option. I've been searching around the web for firewall distributions, and I know what I am looking for. I'd like a boot CD (no install required, no filesystem hacking, just reboot) that stores the configuration on a floppy (that we can easily write protect). It should have a web interface and be able to log to a hard drive or some other machine. Some distributions I've found that seem close are Sentry Firewall, Devil-Linux, NetBoz, ClosedBSD, and Keeper Linux. Has anyone used these? Can you give recommendations? Any help would be appreciated."
You cant afford $60? Or your want a real router?
Google/Linux router floppy gives Linux router project
I'm using a floppy-based Bering system where I work as a multi-ISP router/firewall, and it works quite well.
Oh, no! You have walked into the slavering fangs of a lurking grue!
The problem is, if you look at the linuxrouter.org main page, you'll find that the site hasn't been updated since May 3, 2001. Most LRP development these days is on the LEAF site.
Oh, no! You have walked into the slavering fangs of a lurking grue!
For those who wish to avoid the ISP that can't be bothered to actually administer a firewall:
Synergy Networking
http://www.synergycorp.com
1780 SW 43 Ave.
Fort Lauderdale, FL 33317
Phone: (954) 792-1866
Fax: (954) 791-4214
E-mail: webmaster@synergycorp.com
Sorry to post anonymously. I'm sick to death of irresponsible ISPs who have no clue how the technology they work with actually works. You're running a goddamned ISP, invest some time into understanding what that firewall is before deploying it.
I shouldn't be surprised. This ISP is proud to have a "less is more" policy for website design. Hell, right below their claim to have secure web pages, they proudly state their FrontPage support.
The buzzword "synergy" kills me. What exactly are they synergizing there anyways? It makes me think of that Simpsons quote:
"Proactive? Paradigm? Aren't these just buzz words that stupid people use to sound smart?"
You should really list your needs before you pick a firewall.
Do you just need a packet filter, to block incoming SYN packets?
Or are looking at an application firewall with anti-virus e-mail scanning, web caches, VPN's, seperate DMZ's for your servers, authentication with OTP's and tokens, etc?
Different needs. Different solutions.
How much staff do you have? Any *nix experts?
http://www.suse.com/us/business/products/suse_busi ness/firewall/index.html
If at first you don't succeed, skydiving is not for you
Gibraltar is pretty much what you just described. It worked very well for me in the past, although it looks like development has slowed down (no updates, at least to the free version, in over a year).
Power corrupts. PowerPoint corrupts absolutely. E. Tufte
Check out the hot deal forums over at sites like Fatwallet.com or Anandtech. Here's a thread about cheap firewalls from the latter.
Coyote Linux!
I know it's not supposed to be CDROM based, but it is smaller and easier. They've stopped developement on it, so it's pretty stable. You can hack it to run off a CDROM, but it's just as good from a floppy. It's part of the Linux Router Project, and it acts as a pretty good firewall too. It uses IP chains and IP masquerade, so you can do as much or as little configuration as you want.
-TheDawgLives suckitdown
Please give us the name of your company, so we can contact your customers and tell them you're about to flush the last of their money. That way they can go get an ISP with a business plan.
is a floppy based solution from http://www.zelow.no/floppyfw
We have a 4Mbit/4Mbit HDSL line, and around 320 nodes. (I am part of a team, that runs a small time volunteer ISP: the whole street I live in, joined together to get good Internet access for a reasonable price; Linux all the way, yaeh!)
floppfw is a quite nice distro, it has loads of add-on packages: VPN(PPTP, Cisco, Intel etc), PPP, ssh etc. It is rock solid and has a high performance (used it for 3-4 years without problems)
There is also a powerfull GUI for configuring it: http://www.fwbuilder.org/
But is very simple to maintain and costumize without. You just mount -o the image, edit, unmount. Rolling and using your own kernel is also quite easy (we use NAT, and some NAT helper modules are outside the kernel).
The downside:
No changing the firewall rules on the fly.
Changing rules or upgrading, means a reboot lasting a minute or so.
We have a spare box (can be used as firewall or proxy, dhcp server if necessary), so by changing the default gateway, we can avoid loss of Internet connectivity, though it means that people cannot access our web-site in the mean time, but we can live with that, other may not).
We also use the spare box, as a testing unit for new firewalls, so we can be confident that it works before it is put into production.
I'm dying for the opportunity to use 'synergism' in a conversation.
synergism == sinner jism? I smell a new breed of religious jokes...
Set up your system so it does what you want from the harddisk. So install necessary packages, delete unnecessary stuff, recompile kernel, etc.
/dev/ and such too). Edit working directory to be runnable as if it is the CD -- this should be a matter of /etc/fstab, and sometimes nothing else, but about half the time you will have a problem at the end and jump back to this step.
/working
/etc/ you can just mount /etc on /dev/fd0. Or maybe have the bigger parts that you don't expect to change be links back to the CD.
When you get it happy, copy it with cp -a to a "working directory" (get all
Then make a floppy which boots your system. This can be lilo on a floppy or the whole kernel and initrd on a syslinux'd floppy, whatever. Then make an image of that floppy and save it to your working directory:
dd if=/dev/fd0 of=/working/b.img
and then make the bootable CD with this command:
mkisofs -l -f -J -r -o boot.iso -b b.img
(some of those flags are probably unnecessary, but that's what's in my notes).
Test and fix as necessary.
If you wanted it use the floppy for configuration, just make your working directory do that. If you have a small
However, it sounds to me like all you need to do is use smoothwall or coyote or floppyfw. You don't really state a particular reason why you want to use the floppy; after all, you can always burn another cd to change something, just keep that working directory around for future changes.
A. This wasn't the ISP I was referring to.
B. What makes you think either the ISP that website is hosted by, or the person who posted the request for help don't know what a firewall is? I understand you are in a rush to rip someone a new one virtually, but try and actually read the request for help.
I posted the request for help. Synergy Corp is NOT the ISP in question, so making fun of it or trying to drive away customers is not something I'd appreciate. While I know you are too busy to actually help a person, it would be nice if you would just ignore the post instead of commenting on something you know nothing about.
Not every business has the money for a firewall. Not every business can make payroll. Trying to drive away customers won't help.
Some of you seem to have decided that because I wanted help picking a firewall, I don't know how they are administered. Some are even objecting to the fact that my website is hosted on Windows 2000. There was even a helpful comment about a business plan.
For those who have submitted actual attempts to help, thank you. For the rest, you might need help yourself.
I use LEAF, and have since they forked their code from the original "Cop Killer" Dave at linuxrouter.org. The Bering floppy and CD images are the best, with tools like GRSecurity (enhanced kernel security), Shorewall (great tool for configuring ipchains, for every possible setup), FreeS/WAN (IPSEC/VPN tools), and a 2.4 based kernel that works great on a 486. The best thing is the developers over at LEAF, keep their packages current.
At present, I have 6 offices, hanging off this setup, with each one running the VPN daemon as well. There are plans in place (installation stage) to get 6 more internet circuits for the rest of our offices, making making for a total of 12 offices running off this code. It's excellent code, with a very well integrated setup, using standard tools, and gobs of documentation.
The best thing; except for the main office (which uses a P166), everyone else will be running their firewall and VPNs on pentium 100's or 120's, with 24 or 32 megs of ram.
Offers their product for download, and includes a Windows VPN client along with it. Bootable CD, etc.
- billn
I'm really surprised - there are posts here mentioning some truly obscure solutions, but no one's mentioned one of the most popular: Smoothwall is all-CD-based, and is certainly one of the most widely used CD-based firewall distros on the net. The link above is to Smoothwall's corporate, supported version, but a less featureful free version is available. It used to integrate well with the Dan's Guardian content filter, until Dan joined Smoothwall, so they no longer tell you how to mke the two work together, since that would compete with their commercial offering. Still, their pricing seems reasonable, and while not a state-of-the-art firewall, it's no worse than all the other stateful packet filters out there. (Ultimately, that's just not a very good way to provide security, which is why SPFs are no longer permitted by the military.)
If you don't have to have it run from CD, you should probably check out T-Rex (NOT a stateful packet filter, but the free version is lagging a bit), or, if you need a firewall combined with other functions (such as serving files, mail, web, etc.) then check out e-smith or ClarkConnect.
"The future's good and the present is nothing to sneeze at." - Roblimo's last
Floppyfw is actually a (surprise!!) floppy based distro. But there is also an ISO image. I use it at home. I have friends that also use it for their networks. Works good. Easy to setup. From the webpage, the author claims he has used it for networks with thousands of computers. I wouldn't doubt it.
I use Devil Linux on one network that I administer. The docs are a bit scant and mostly point you to the docs for each service you install but overall I think the firewall is excellent. It's built from Linux From Scratch. All but the config files are on the CD. The config files are on a write protected floppy. There is support for most common services for those shops that can't afford a firewall and mail server for example. I know this isn't the best idea but it is a practical reality for many. At least Devil Linux offers chroot jails and since a reboot sets the server back to the original install state (except for any mail spool that is saved on a disk) the exposure is fairly low. There is also support for FirewallBuilder scipts and most common services . I think Devil Linux is at least worth consideration. It's actively developed and GPL'ed.
http://www.gta.com
Simple floppy based firewall, with GUI for those who want it. Easily configured, and rated highly by several publications. Logs via syslog to another system. Can do email and dns proxying if you need it. Doesn't do CDROM, but you can do flash memory.
Basically, a BSD derived firewall that was split from the tree a few years ago. They have an active development effort, and sell commercial products just for your situation. Commercial versions of Gnatbox are not cheap, but there is a good installed base, and a good mailing list that will help with stuff.
Put the whole firewall on CD per Dingetjes "Not Quite a How-To" here:
http://dingetje.homeip.net/deoren/
It would be sweet if more small firewalls could run like this.
1. Why boot from the CD? Why not boot from the hard drive? Are you really on a HD-less PC, and can't afford to buy a small drive? I can't imagine when this solution is viable. It would make sense if you were in a highly fluid environment, but in most production environments, you can afford a cheap PC with a hard drive.
2. You can boot your linux/bsd/whatever firewall using PXE or some other environment.
3. If you are deadset on the CD solution, do you need a floppy thrown in the mix as well? a CD is dirt cheap these days, you can just burn another copy with the new settings. Or just use a rewritable CD. Or read your settings from the network.. floppy disks die nasty deaths for various reasons.
I have BTW heard nasty things about Smoothwall which is why I'm posting this AC. The guy who runs it is an arrogant bastard and their standard reply to a support question is 'RTFM'
fli4l plus OPT_BOOTCD. You may also want to read one of the HOWTOs fli4l auf CDR or isofli4l.
fli4l is a german language project, but fli4l itself has also an english documentation.
Denken hilft.
Ah. So that would be why VRFY dnapalm@synergycorp.com returns a 250, eh? Nope. Don't work there at all, do ya?
"Ah. So that would be why VRFY dnapalm@synergycorp.com returns a 250, eh? Nope. Don't work there at all, do ya?"
He hosts my website and email. Its a one-man consulting business. He's a friend who does it for free, so I'm not too thrilled about someone trying to drive away his customers in a misguided attempt at outrage. I would think if you were interested in stopping these "irresponsible ISPs" from running without security, you would have posted something helpful, instead of an attack.
He hosts my website and email. Its a one-man consulting business.
Does he know what synergy means?
synergy: Cooperative interaction among groups, especially among the acquired subsidiaries or merged parts of a corporation, that creates an enhanced combined effect.
I don't know about you, but I wouldn't trust a business whose very name lies about the structure of their organization.
The theory of relativity doesn't work right in Arkansas.
How the fuck do you know that this guy didn't just take the job of admin'ing the place? What makes you think *he's* the one that made the mistake?
Sorry to post anonymously. I'm sick to death of irresponsible morons in the Linux community that go 'round chanting "RTFM! RTFM!". The guy came to Slashdot for help...that means he knew there was a problem. Step One. He knows that people on Slashdot are (excepting you) well informed about a variety of topics, Linux and Network security being two of those. I'd say that, considering his budget, he did exactly the right thing.
Oh...and this just in - You don't make secure web pages - You make secure web SERVERS. UNIX has support for FrontPage. Are we going to whine about UNIX now?
Does he know what synergy means?
synergy: Cooperative interaction among groups, especially among the acquired subsidiaries or merged parts of a corporation, that creates an enhanced combined effect.
I don't know about you, but I wouldn't trust a business whose very name lies about the structure of their organization.
It's a consulting business that does system integration work. Does he have to have internal synergy? Does anyone hold Microsoft to the "micro" part?
Me: I don't know about you, but I wouldn't trust a business whose very name lies about the structure of their organization.
You: It's a consulting business that does system integration work. Does he have to have internal synergy? Does anyone hold Microsoft to the "micro" part?
Given that he also refers to himself as "we" (see the web page: "Try Synergy, and find out why we're proud to be the best at what we do. "), I'm more inclined to believe that he's a liar, and is abusing a hackneyed buzzword in an attempt to seem much larger and more established than he actually is.
And that's worse than lying to the client through your name. If he's so good at what he does, why can't he just say "I", and let his great reputation in his field do the talking? What kind of business relationship can one expect with an organization that's dishonest from square one?
The theory of relativity doesn't work right in Arkansas.
It's a consulting business that does system integration work.
... Our game-hosting rates start at $100/month.
Really? Judging by this portion of their website, I'd say it's more likely a fifteen-year-old trying to parlay his limited linux experience into a business, so he can avoid having to go to college, like regular people:
We've hosted servers for interactive games such as Starsiege Tribes for years. We've been following role-playing games with more in-depth interaction for some time, and now host Sphere servers
The theory of relativity doesn't work right in Arkansas.
Well I did read the Kamasutra and I still don't know a fucking shit about Linux.