a Floppy Firewall
Here's how I turned an unused PC into a packet-filtering
firewall using a package called floppyfw. The firewall boots
off a single floppy, runs completely in RAM, and uses ipchains for
the filter rules. It also does IP masquerading, port forwarding,
and can log to a remote host using syslog. All this in a
machine with as little as 8 MB of RAM and no hard drive!
floppyfw's author, Thomas Lundquist, describes it
as a Linux "screening router with firewall capabilities".
It boots a Linux kernel and comes with a minimal set of tools to
get the job done. If you think about it, that's actually a
feature. If a bad guy were to get into your firewall machine somehow,
there won't be much for him to use against you. And since we're
running completely on a RAM disk, a simple reboot from the floppy
will restore the system to its original state.
As with many Linux projects, floppyfw has a do-it-yourself
aspect. But I'll show you where I found a set of almost-ready-to-run
filter rules, so you can quickly set up your own firewall.
You probably have a suitable machine sitting around (or enough
parts to build one). You will need a 386 or better, with:
- At least 8-MB RAM
- 3.5" floppy drive
- Video card
- video monitor
Note that if you're going to run "headless", you'll
only need the keyboard and monitor for setup and testing.
Install a pair of network cards. The following types are supported
- 3Com 3c509
- NE2000 compatibles
- Intel EtherExpress PCI
Make sure each card has its own IRQ and memory address. That's
simple to set if your network cards have jumpers on them. I used
a pair of 3Com 3c509 cards. The first time I booted the machine,
both cards came up at IRQ 10 and 0x300. I fixed that problem using
a DOS utility from 3Com called 3C5X9CFG.EXE. Make a bootable DOS
floppy, copy the utility onto it, and (with both cards installed)
run it. Select a card, then auto-configure to have it choose a new
IRQ and memory address. Do this for both cards, and remember to
save the new settings. I found 3C5X9CFG.EXE on EtherDisk 4.3; the
newest EtherDisk is available on the 3Com Web site: http://www.3com.com.
Making the floppyfw boot floppy is simple. Download the
latest stable image from:
(As of this writing, 1.0.5 is the current image). Then write the image
to a floppy:
# dd if=floppyfw-1.0.5.img of=/dev/fd0 bs=72k
This floppy disk is in DOS (FAT) format. Before you can boot it,
you'll need to take it to some other machine and edit the config
files. I prefer to use Linux mtools, like this:
$ cd /tmp
$ mcopy a:config
$ vi config
$ mcopy config a:
If you need to use another operating system, I understand you can
edit these files with NotePad.
There are actually five floppyfw configuration files:
- config (main configuration)
- firewall.ini (filter rules)
- modules.lst (additional ip_masq modules)
- syslinux.cfg (kernel boot parameters)
- syslog.cfg (syslog config, such as /etc/syslog.conf)
You probably won't need to touch syslinux.cfg or modules.lst
at all. So I'll discuss the main file, config. In the
interest of clarity, I've stripped out most of the comments.
Most of the values are fairly obvious anyway, except maybe for the
switches near the end of the file:
OPEN_SHELL controls shell access (/bin/ash) at the
console. If your machine has less than 12MB of RAM, set ONLY_8M
to "y". USE_SYSLOG determines whether syslogd
runs or not, and SYSLOG_FLAGS are the flags passed to syslogd
when it does start.
Listing 1 contains my config file. By the way, I wasn't able
to get DHCP to work with my cable provider. They seem to have some
funky, non-standard DHCP server. Instead, I set things up as if
I had a static IP address. It's been working for two years
without a problem. Your mileage may vary.
Now, let's have a look at firewall.ini. The original
file that floppyfw comes with only sets up basic masquerading
and rejects a couple of ports. Because we're building a firewall,
we need to modify it. However, creating a comprehensive set of filter
rules can be a big job. Logically, we want to close off all the
ports and only create openings for services we want to use. I was
relieved to find that most of this work has already been done by
I started with the ipchains example file from Robert L.
Ziegler's Web site:
Ziegler is also the author of Linux Firewalls (New Riders Publishing,
ISBN: 0735709009). His rules are very well commented, explaining in
detail what each set is intended to do. When I actually needed to
open ports, these comments were invaluable.
The ipchains rules I started with are available here:
I recommend reading through the entire file first; you don't
want to use it as is! There are even some sections with alternative
paragraphs, marked with the word "OR". One or the other
of the paragraphs is meant to be used, but not both. To activate a
section, simply uncomment it.
With a file this large and a limited amount of space on the floppy
disk, it might be useful to delete the sections you think you will
never use. Of course, it's probably also wise to keep a spare
original around just in case. Once you've got a working configuration
written to floppy, you should make a few copies of that too, in
case the original wears out.
The firewall.ini provided in Listing 2 is one I've
modified for floppyfw. To avoid making too many global edits
and possibly damaging one or more rules, I made some simple variable
substitutions near the top of the file, passing values from floppyfw
variables into the appropriate variables used by Ziegler. In a few
cases, when there wasn't a handy variable to use, I set the
Listing 2 should give you an idea what I did to open ports to
allow clients on my internal network to access the usual essential
services: DNS, SMTP, POP, NNTP, TELNET, SSH, FTP, HTTP, and WHOIS.
Note that I typically wouldn't have opened the POP port, but
I use fetchmail to retrieve mail from a remote provider.
If you're nervous about someone snooping your mail while it's
being pulled down, fetchmail has a neat feature that lets
you first establish an SSH connection and then download your mail
over that. In that case, you wouldn't need to open the POP
If you use the default syslog.cfg file, floppyfw
will very happily log everything to the console. I run my firewall
machine headless (i.e., without a monitor or keyboard), so that
wasn't very useful to me. I want to analyze the log to keep
an eye on what's happening.
So, I set up one of my internal Linux machines as a log host.
To do this, make sure that your log host starts syslogd with
the -r option to allow it receive messages over the network.
(On a Red Hat system, for example, you'll need to edit /etc/rc.d/init.d/syslog).
Then, set up your syslog.cfg, making sure to change the 192.168.1.2
to your log host's IP address. See Listing 3 for syslog.cfg.
Once you've got these few files configured and written to
the floppy, you can boot up from the floppy and test some things.
Make sure your internal machines can all talk to each other. Also,
check whether you can access each external service for which you've
opened a port. Keep an eye on /var/log/messages if you're
logging remotely or on the firewall console screen if you're
not. These should provide clues as to what's working. You may
need to fine tune your firewall rules a bit. Just be sure to write
any changes back to the floppy, or they'll be lost.
Do keep an eye on your log file. When you finally put your firewall
into service, you might be surprised to see how many people are
doing port scans and other strange things. Isn't it nice to
have a firewall?
Floppyfw by Thomas Lundquist:
Linux Firewalls by Robert L. Ziegler:
Andy Meyer as worked as an amusement ride operator and a technical
support engineer. For the past two years, he's been doing Linux
administration at Bell Laboratories in Murray Hill, NJ. In his spare
time, he likes to race HO-scale slot cars.