Bootable CDROM-based Firewalls?

DNapalm asks: "I work at a small local ISP that is in desperate need of a firewall. We don't have much of a budget, so a hardware-based solution (which I'd prefer) really isn't an option. I've been searching around the web for firewall distributions, and I know what I am looking for. I'd like a boot CD (no install required, no filesystem hacking, just reboot) that stores the configuration on a floppy (that we can easily write protect). It should have a web interface and be able to log to a hard drive or some other machine. Some distributions I've found that seem close are Sentry Firewall, Devil-Linux, NetBoz, ClosedBSD, and Keeper Linux. Has anyone used these? Can you give recommendations? Any help would be appreciated."

Duh, this here magazine sez we needs a firewall!

For those who wish to avoid the ISP that can't be bothered to actually administer a firewall:

Synergy Networking
http://www.synergycorp.com
1780 SW 43 Ave.
Fort Lauderdale, FL 33317
Phone: (954) 792-1866
Fax: (954) 791-4214
E-mail: webmaster@synergycorp.com

Sorry to post anonymously. I'm sick to death of irresponsible ISPs who have no clue how the technology they work with actually works. You're running a goddamned ISP, invest some time into understanding what that firewall is before deploying it.

I shouldn't be surprised. This ISP is proud to have a "less is more" policy for website design. Hell, right below their claim to have secure web pages, they proudly state their FrontPage support.

Our firewall

[Peter+H.S.]

is a floppy based solution from http://www.zelow.no/floppyfw

We have a 4Mbit/4Mbit HDSL line, and around 320 nodes. (I am part of a team, that runs a small time volunteer ISP: the whole street I live in, joined together to get good Internet access for a reasonable price; Linux all the way, yaeh!)

floppfw is a quite nice distro, it has loads of add-on packages: VPN(PPTP, Cisco, Intel etc), PPP, ssh etc. It is rock solid and has a high performance (used it for 3-4 years without problems)

There is also a powerfull GUI for configuring it: http://www.fwbuilder.org/
But is very simple to maintain and costumize without. You just mount -o the image, edit, unmount. Rolling and using your own kernel is also quite easy (we use NAT, and some NAT helper modules are outside the kernel).

The downside:
No changing the firewall rules on the fly.
Changing rules or upgrading, means a reboot lasting a minute or so.
We have a spare box (can be used as firewall or proxy, dhcp server if necessary), so by changing the default gateway, we can avoid loss of Internet connectivity, though it means that people cannot access our web-site in the mean time, but we can live with that, other may not).

We also use the spare box, as a testing unit for new firewalls, so we can be confident that it works before it is put into production.

LEAF!

[erth64net]

I use LEAF, and have since they forked their code from the original "Cop Killer" Dave at linuxrouter.org. The Bering floppy and CD images are the best, with tools like GRSecurity (enhanced kernel security), Shorewall (great tool for configuring ipchains, for every possible setup), FreeS/WAN (IPSEC/VPN tools), and a 2.4 based kernel that works great on a 486. The best thing is the developers over at LEAF, keep their packages current.

At present, I have 6 offices, hanging off this setup, with each one running the VPN daemon as well. There are plans in place (installation stage) to get 6 more internet circuits for the rest of our offices, making making for a total of 12 offices running off this code. It's excellent code, with a very well integrated setup, using standard tools, and gobs of documentation.

The best thing; except for the main office (which uses a P166), everyone else will be running their firewall and VPNs on pentium 100's or 120's, with 24 or 32 megs of ram.