By Gerry Patterson
This article looks at the creation of a router/firewall in a small business and home/office application.
BSD Router Firewall
There was a good stockpile of old computer bits and pieces. These were Pentium I and Pentium II machines that although they have been abandoned by Microsoft, still deliver acceptable performance when drive with Open Source Operating Systems. There was more than sufficient material to build two routers.
Pentium I Router - BSD 4.4
I chose BSD because overall it seems to offer very good networking support. The Configuration of Network cards, especially PCI ethernet cards, is easy. In order to test out a PCI card it usually only requires the insertion of the card and creation of a new interface.
However there was a hidden trap, which I discovered after testing several cards. The ifconfig destroy command does not appear to work very well.
I had used the /stand/sysinstall menu to create the interfaces. Having found some useful cards I tried to remove the unwanted interfaces. i.e. if there is an interface called "xl0", that is no longer required, the following command should remove it:
ifconfig xl0 destroy
I found several references online which alluded to a "bug" concerning ifconfig "destroy" which supposedly only works on interfaces that have been created with the ifconfig "create". My experience (with BSD 4.4) suggested that the ifconfig "destroy" doesn't work at all! I experimented with using /stand/sysinstall and the ifconfig "create" command to create the interfaces. In each case the destroy command failed to work. Once I had sorted out which cards were ok, I reinstalled the software (which got rid of the unused interfaces).
After the basic install, the following additional packages were added:
Pentium II Server/Router Suse 8.1
I chose to configure the software, opting for:
- C/C++ Compiler
- Help & Support
- Uncheck anything that mentioned GUI or KDE
This seemed to work ok after deselecting some packages that had conflicts (some of the help and support programs had GUI components). The Installation procedure gave the option of skipping those packages that had problems. This resulted in a console only install of most of the packages required for a Windows server (with samba). The YaST configuration tool was installed in console mode. The installation procedure automatically detected the onboard ethernet adaptor. The additional RealTek adaptor had to be configured manually (I used YaST).
The connection which had been supplied by BigPond employed an SB4200 cable modem. I tried BigPond technical support and was dissapointed to discover that, despite the name, they were neither technical nor supportive.
The SB4200 uses DHCP to assign addresses. It will support up to 32 seperate devices. Fortunately, there is an excellant open source package called BPALogin (see bibliography), which handles the login to the Big Pond network in Linux, BSD or other *nix* operating systems.
The following are some useful links for getting a firewall router to work.
|Shane Hyde|| BPALogin.
Replacement for the Telstra supplied client for connecting and using
Telstra's Big Pond Advance powered by Cable. The current implementation
was written by Shane Hyde, but is now being maintained by William Rose and
others based at SourceForge.
|David Ranch|| Linux IP Masquerade HOWTO.
A must-read for anyone trying to implement a firewall in Linux.