The proliferation of cable modem and DSL connections to the internet means that now many home users are connected to the net 24 hours per day. This constant availability makes home users a target for crackers and other bad people -- something that was not a big problem with dial-up connections. Accordingly, there has been much recent interest in how home users can protect their computers and data. This is a particular concern with inherently insecure operating systems like Win95/98/ME.
Commercial solutions are available -- one recent, reasonably-priced, elegant, and widely-available example is the Linksys Etherfast(tm) router. A much cheaper solution, although it will take more desk space, is to use an obsolete 386 or 486 computer running a minimal version of Linux. The minimum hardware requirement is a 386sx, 8MB of memory, a floppy disk drive, and two network cards. The system does not require a hard disk, display, mouse, or keyboard. Personally, I find it pleasing to "re-cycle" a computer that would otherwise be destined for the landfill.
The topic of this meeting is the FLOPPYFW (floppy firewall) package, where a single bootable 1.44MB diskette holds a minimal Linux operating system and the necessary applications. FLOPPYFW provides basic protection from intrusion and allows several machines to access the net through a single physical connection. (Please note that some service providers may not approve of such access. Austin RoadRunner was in this category, but they have now stated that shared home connections are OK as long as usage is not excessive.)
Every computer using TCP/IP (the communication medium of the Internet) must have an IP address to identify it. An IP address is of the form x.x.x.x, where x = 0..255. There are therefore 256*256*256*256 = 4G possible addresses - approximately one for each person in the world. (For the technically-minded, IP addresses are 32 bits long.) THIS IS NOT ENOUGH, and the internet will sooner or later go to 128-bit addresses, allowing a seperate IP address for each molecule in your body, more or less.
Every device physically connected to the internet worldwide must have a unique IP address, but there are three SPECIAL IP address blocks reserved for internal networks - 10.x.x.x (up to 16 million machines per internal network), 172.[16-31].x.x (up to one million), and 192.168.x.x (up to 64K boxes). These addresses cannot be broadcast to the outside world, and will be ignored if seen there.
It's exceedingly unlikely that you'll need one of the larger blocks for a home network, so I recommend you use 192.168.1.1, ...2, ...3, etc. for your internal network. (192.168.1.0 and 192.168.1.255 are "special" and can't be used. We'll see why a little later.)
The firewall machine has TWO Ethernet cards, each with its own IP address:
NOTE -- I've had reports that instead of DHCP, some DSL services in Austin now use a different method of providing a dynamic "outside" internet IP address to their customers - a program called PPPoE. This stands for "Point-to-Point Protocal over Ethernet" and is "dial-up using the internet." PPPoE requires that the user run a special program to provide a userid and password, whereupon the DSL provider sends an IP address for the user and only then establishes a connection to the net. With DHCP (RoadRunner, e.g.) you're basically "live" any time you're physically connected; that is, you don't have a logon ID or password. The default version of FLOPPYFW does not contain the PPPoE software, but a new version IS available at the floppyfw home page.
In use, the external Network Interface Card (eth0) is therefore connected to the cable/DSL modem, and the internal NIC (eth1) is connected to an Ethernet hub, along with the other boxes, as shown in the diagram below. Note that if you're using the firewall to protect a single machine, you don't need a hub but can have a direct connection to eth1, using a crossover cable.
As mentioned, the FLOPPYFW software has two functions.
RAWRITE.EXE, using this link.
RAWRITE. It
will prompt for an image file name (FLOPPY.IMG, for example) and then
disk drive (A:). From a Linux command line, execute
dd if=[imagefilename] of=/dev/fd0
In either case, the target diskette will be over-written with the image.
You need to edit the file CONFIG in the root directory of the floppyfw diskette. This is an ordinary FAT diskette, so you can do the editing under DOS, Windows, OS/2, Linux, or whatever, using whatever text editor makes you comfortable. The following steps are necessary to get a running system:
OUTSIDE_IP=DHCP line and
comment out the OUTSIDE_IP= line. If you have a static IP address,
leave the commenting alone and fill in OUTSIDE_IP= with the address
you've been assigned by your provider.
If you're using PPPoE, see the instructions that come with that version of FLOPPYFW.
OUTSIDE_DEV=eth0
OUTSIDE_NETMASK and
OUTSIDE_BROADCAST lines if you're using DHCP or PPPoE; otherwise leave them alone.
INSIDE_IP=192.168.1.1
INSIDE_DEV=eth1
INSIDE_NETMASK=255.255.255.0
INSIDE_BROADCAST=192.168.1.255
Note: The NETMASK is magic - leave it at 255.255.255.0. The
INSIDE BROADCAST value is more magic - make sure it keeps that "255"
on the end.
DEFAULT_GATEWAY=eth0. The gateway is the conduit for the
internal machines to talk to the outside world.
NAME_SERVER_IP lines to those appropriate for your service.
(For Austin RoadRunner, they are 24.93.35.32, 24.93.35.33, and
possibly 24.93.35.64.) Ask your service provider if necessary. (Nameservers are
vitally necessary. They translate a domain name (www.yahoo.com, for example) into the
corresponding IP address (216.32.74.50, in this case) that TCP/IP needs.)
Now that the editing is complete:
That's all there is to it.
Each client machine (Windows, Linux, or whatever) must be set correctly. The details vary depending on the OS, but in general you go to the Control Panel or equivalent, select TCP/IP Networking, and then make the following settings:
myname@foobar.com then foobar.com is your domain.)
I recommend getting inexpensive ISA 10-bt Ethernet cards, not least because your proposed machine probably doesn't have PCI slots but ought to have two empty ISA slots. There is no good reason for plug-and-play or for PCI in a minimal system like this; they just add to the cost. The faster 10/100 Ethernet cards might be useful if you plan to transfer large amounts of data around your internal network, but as of now all cable and DSL "modems" use only the lower speed.
If you can, get cards WITH JUMPERS to allow the base address and interrupt to be set manually. Otherwise you'll have to either round up a DOS diskette so you can boot to A: and run the manufacturer's setup program, or plug the cards into another (DOS/Win) computer and run the setup. Many people have recommended the jumpered ADDTRON AE-200 cards available for $13 each from Altex Electronics here in Austin. They are even PnP at that price, although you won't use the PnP feature. In any case, make sure your cards are "NE2000 compliant" and you'll avoid several possible problems.
BTW, here are representative prices from the Altex catalog for other purchases you might need to complete this project. They stock a 5-port Ethernet hub for $27 and an 8-port version for $36. Ethernet 10Base-T patch cables, aka CAT-5 (don't ask, but that's what you want) are available in many lengths and colors; prices range from $3.40 (3-foot) upwards. Their price algorithm seems to be that every extra four feet will cost you another dollar. Fifty or hundred-foot runs are perfectly feasible with 10-bt Ethernet if necessary. (These cables have an 8-connector modular plug at each end - the same design as ordinary telephone cord plugs but wider.)
Incidentally, try to get a hub with at least two or three more ports than your existing "box count." For one thing, the darn things have a habit of multiplying, and for another, it is certainly good hospitality to have empty jacks when friends come over bearing laptops. :-)
Set the base addresses and interrupts to values not used by any other adapters. For the kind of machine suitable for FLOPPYFW in the first place, there probably aren't too many possible conflicts, but this can require a little trial and error. As a starting point, I'm using base addresses 300 and 360, interrupts 10 and 12, and they don't conflict with anything else on my 486, so they might work for you, too. If not, try addresses 320 or 340, and if interrupt 10 or 12 doesn't work, try 11 and then 5.
The only real trick is, which card winds up eth0 and which eth1? The card with the lower address will be eth0, but it's easy to lose track. If so, a quick way to find out is to connect another computer (via the hub or a crossover cable) to one or the other, boot the FLOPPYFW diskette, and then issue the command "ping 192.168.1.1" from the command line on the other machine. If the FLOPPYFW machine responds, then you have found eth1. Otherwise, switch the connection to the other NIC and try again. (If neither one responds, then you got troubles.) When you've found eth1, mark it, and mark the other one eth0. As indicated in the diagram, connect eth0 to the internet and eth1 to the hub or single box to be protected. PS - If you issued that "ping" from a Linux command line, press CTRL-C to stop it. :-)
By default, the FLOPPYFW firewall function plays it safe and doesn't pass much of anything to the internal boxes. If you need to run an inbound service like FTP or TELNET, you'll need to modify FLOPPYFW's default rules. See the "IPCHAINS Howto" link at the floppyfw home page for the gory details. Note that by default FLOPPYFW doesn't affect outbound FTP or TELNET, although IPCHAINS can be configured to monitor outbound as well as inbound traffic if necessary.
FLOPPYFW also has nothing to do with direct interactions between your local machines. The data path there runs from client to hub to client without ever passing through the firewall. These machines can have as little or as much protection against each other as you see fit to install ON THE CLIENTS. They can share files, printers, or whatever in safety because they are not directly accessible from the big, bad outside world unless you modify FLOPPYFW's default rules.
Under normal running conditions, FLOPPYFW does not produce any useful
messages to the screen, and it doesn't need a keyboard. I recommend you
temporarily attach both until you're comfortable, though, just so you can
reassure yourself there are no error messages. (Some BIOSs require a keyboard
be connected during the boot process (i.e., the infamous "No Keyboard
Attached - Press F1 to Continue" message), but often there is a BIOS
setup option so this check can be disabled.)
[081402] There have been continual updates to FLOPPYFW since the above presentation, but all is essentially still true. I strongly recommend going to the site and downloading whatever they say their current version is. One convenient addition is a DHCP server on the firewall itself, so client machines can now be assigned IP addresses and DNS addresses without their having to be hard-coded. An even bigger change is actually a change in Linux itself — the IPCHAINS program for specifying firewall rules has been replaced by the (much easier to use) IPTABLES program instead. Again, you don't need to know anything about this program unless you choose to change the default rules for your particular situation.
Prices have come down, too. 10/100bt Ethernet cards can now be purchased for less than $10, and if your do-it-yourself gene is defective, several brands of ready-to-go router/firewall combos are available from Altex, CompUSA, or Fry's for well under a hundred.
Good luck.
John Dierdorf
Last modified 08-14-2002.