A free, convenient Linux firewall

Linux under the Firewall (firewall) from the birth to the present, the firewall has experienced four stages of development: the first stage: the firewall based on the router, the second stage of the user Firewall tool sets; Phase III: A firewall built on a common operating system; Phase IV: A firewall with a secure operating system. At present, most of the world's firewall vendors are provided with a secure operating system hardware and software combination of firewalls, such as the famous Neteye, NetScreen, Talentit and so on. There are also a lot of firewall software on Linux operating systems, some are commercial versions of firewalls, and some are completely free and open source code firewalls. Most Linux tutorials mention how to use IPChains to build firewalls on Linux platforms.

Setting up and managing firewalls in the Linux operating system is an important task for network system administrators. In general, configuring firewalls is really a very high-tech job. Whether it's a commercial version of a firewall or a completely free firewall, you need to configure the hardware and software in the Linux platform.

Is there a handy Linux firewall that you can carry with you? The answer is yes, and now I'd like to introduce a Linux firewall that can be installed in a normal floppy disk. The Linux firewall named FLOPPYFW can be stored in a normal floppy disk and run independently in RAM memory. It enables you to start your computer, use IPChains to filter out unwanted IP packets, and use it to configure IP camouflage (IP masquerade), the monitoring port, through which you can use the host to remotely control computers in other networks. The FLOPPYFW function is very powerful, but it requires a very low hardware environment, in addition to a floppy disk, as long as 8MB of memory is enough.

The most hardware devices required by FLOPPYFW are as follows:

Minimum 8MB memory

3.5 "Floppy Drive

Display Card

Keyboard

Display

Some Linux system load two network card, can make floppyfw normal work, this requires each network card IRQ and memory address are correct. Configuring a dual NIC in a Linux system is a trusted system administrator.

The FLOPPYFW supports the following network adapters.

3Com 3c509

NE2000 compatibles

Tulip-based

Intel EtherExpress PCI

About Software:

It is very easy to make a floppy disk that can be guided by FLOPPYFW. But you have to go to http://www.zelow.no/floppyfw/download/first to download FLOPPYFW to your computer's hard disk. FLOPPYFW the latest version should be 1.0.5 or higher, FLOPPYFW is a mirrored file that can be used

# dd if=floppyfw-1.0.5.img of=/dev/fd0 bs=72k This command to extract the mirrored file and write it on a prepared floppy disk.

About settings:

It should be noted that the normal floppy disk format is a DOS (FAT) format. In order to start the Linux system smoothly, we need to make some changes on this floppy disk. It is recommended that you use a different computer to modify this floppy disk, preferably if you modify it using the Mtools tool in your Linux system.

The following commands are used:

$ cd/tmp

$ mcopy A:config

$ VI Config

$ mcopy Config A:

If you are using a different operating system, I think you can use Notepad to make changes in Windows. On a floppy disk, we can see that FLOPPYFW has 5 files:

Config (primary configuration file)

Firewall.ini (Filtering rules)

Modules.lst (additional IP_MASQ module)

SYSLINUX.CFG (kernel start parameter)

Syslog.cfg (syslog configuration, such as/etc/syslog.conf)

In general, we do not need to modify Syslinux.cfg or modules.lst files. Our main task is to modify the config file. For the sake of simplicity and clarity, I don't want to explain too much about the specifics of config in this file, just to highlight a few important things at the end of the config file.

In (/bin/ash) find "Open_shell controls SHELL" This line of text, if your computer's memory less than 12MB, the only_8m set to "Y". Use_syslog can determine whether the SYSLOGD is running in the system, and Syslog_flags is the flag to judge the SYSLOGD initiation. Users can make changes according to their actual situation.

Appendix: Single configuration, this is a standard configuration checklist to pass the test. Because this Linux system does not provide DHCP services, the use of static IP, so only for users with similar services to provide reference. Click here to download the clear single

About filtering rules:

Now, let's take a look at the Firewall.ini file. No modification of the FLOPPYFW before the Firewall.ini file defaults to set static IP camouflage and deny access to some fixed ports. Because we need to build our own firewall, we need to modify the Firewall.ini file. We need a comprehensive set of filtering rules to close some of the ports we think are in danger before.

I will no longer explain how to set up ipchains here because of the length of the relationship. If you would like to know more detailed ipchains configuration and specific usage, refer to the following foreign Linux firewall ipchains configuration scheme.

The specific settings of the Firewall.ini filtering rules can refer to the Configuration List II (ftp://FTP.MFI.COM/PUB/SYSADMIN/2001/JAN2001.TAR.Z), which is a modified configuration. If you are unfamiliar with Linux firewalls, you can download the configuration list directly for reference or direct use.

Listing II provides the most basic DNS, SMTP, POP, NNTP, TELNET, SSH, FTP, HTTP, and whois services, and typically client computers can access the network through secure ports and use the above services.

About Log

The general Linux system log files can be a lot of, mainly recording the system running some of the main parameters and records. As mentioned above, Syslog.cfg is a file that manages and logs log files. FLOPPYFW can record the control records in the Linux firewall system through this syslog.cfg file, such as keyboard errors, the display is not installed, etc. information is also recorded. This provides a favorable basis for the future system administrator to analyze and solve the system problems. Syslog.cfg settings are not difficult, first set the SYSLOG.CFG to a computer's master record file. For example, in the Red Hat system, you can achieve the goal by editing/etc/rc.d/init.d/syslog. If the IP of this computer is 192.168.1.2, then the SYSLOG.CFG will be configured as a consistent IP. A specific list of configurations can refer to "listing three" (ftp://FTP.MFI.COM/PUB/SYSADMIN/2001/JAN2001.TAR.Z)