Setting Up a Home Network Using FLOPPYFW

WHY YOU NEED PROTECTION

The proliferation of cable modem and DSL connections to the internet means that now many home users are connected to the net 24 hours per day. This constant availability makes home users a target for crackers and other bad people -- something that was not a big problem with dial-up connections. Accordingly, there has been much recent interest in how home users can protect their computers and data. This is a particular concern with inherently insecure operating systems like Win95/98/ME.

Commercial solutions are available -- one recent, reasonably-priced, elegant, and widely-available example is the Linksys Etherfast(tm) router. A much cheaper solution, although it will take more desk space, is to use an obsolete 386 or 486 computer running a minimal version of Linux. The minimum hardware requirement is a 386sx, 8MB of memory, a floppy disk drive, and two network cards. The system does not require a hard disk, display, mouse, or keyboard. Personally, I find it pleasing to "re-cycle" a computer that would otherwise be destined for the landfill.

The topic of this meeting is the FLOPPYFW (floppy firewall) package, where a single bootable 1.44MB diskette holds a minimal Linux operating system and the necessary applications. FLOPPYFW provides basic protection from intrusion and allows several machines to access the net through a single physical connection. (Please note that some service providers may not approve of such access. Austin RoadRunner was in this category, but they have now stated that shared home connections are OK as long as usage is not excessive.)

IP ADDRESSES

Every computer using TCP/IP (the communication medium of the Internet) must have an IP address to identify it. An IP address is of the form x.x.x.x, where x = 0..255. There are therefore 256*256*256*256 = 4G possible addresses - approximately one for each person in the world. (For the technically-minded, IP addresses are 32 bits long.) THIS IS NOT ENOUGH, and the internet will sooner or later go to 128-bit addresses, allowing a seperate IP address for each molecule in your body, more or less.

Every device physically connected to the internet worldwide must have a unique IP address, but there are three SPECIAL IP address blocks reserved for internal networks - 10.x.x.x (up to 16 million machines per internal network), 172.[16-31].x.x (up to one million), and 192.168.x.x (up to 64K boxes). These addresses cannot be broadcast to the outside world, and will be ignored if seen there.

It's exceedingly unlikely that you'll need one of the larger blocks for a home network, so I recommend you use 192.168.1.1, ...2, ...3, etc. for your internal network. (192.168.1.0 and 192.168.1.255 are "special" and can't be used. We'll see why a little later.)

FIREWALL

The firewall machine has TWO Ethernet cards, each with its own IP address:

NOTE -- I've had reports that instead of DHCP, some DSL services in Austin now use a different method of providing a dynamic "outside" internet IP address to their customers - a program called PPPoE. This stands for "Point-to-Point Protocal over Ethernet" and is "dial-up using the internet." PPPoE requires that the user run a special program to provide a userid and password, whereupon the DSL provider sends an IP address for the user and only then establishes a connection to the net. With DHCP (RoadRunner, e.g.) you're basically "live" any time you're physically connected; that is, you don't have a logon ID or password. The default version of FLOPPYFW does not contain the PPPoE software, but a new version IS available at the floppyfw home page.

In use, the external Network Interface Card (eth0) is therefore connected to the cable/DSL modem, and the internal NIC (eth1) is connected to an Ethernet hub, along with the other boxes, as shown in the diagram below. Note that if you're using the firewall to protect a single machine, you don't need a hub but can have a direct connection to eth1, using a crossover cable.

As mentioned, the FLOPPYFW software has two functions.

  1. The gateway or router function passes outgoing messages (received on eth1 from the client machines) onto the single Internet outbound connection on eth0. Incoming messages from the Internet, received on eth0, are recognized and re-sent on eth1 to the proper client machine. (This function is sometimes called "IP masquerading" since the clients' existence is totally hidden from the Internet.)
  2. The firewall function examines each incoming message and rejects unexpected or improper ones, using a set of rules that can be customized. Thus, harmful material should never be received by the clients. Note that a firewall does NOT replace proper discipline to prevent viruses on the clients. A virus is typically received in a perfectly "legal" fashion (a downloaded executable file or e-mail message) and does its damage when executed.





CREATING THE FLOPPYFW DISKETTE

  1. Download the diskette image from this address: floppyfw-1.0.2
  2. If you're in DOS or Windows, rename the downloaded file to something compatible with 8.3 addresses - "FLOPPY.IMG" for example.
  3. If you're going to create the disk from DOS or Windows, download the file RAWRITE.EXE, using this link.
  4. From a DOS or Windows command line, simply execute RAWRITE. It will prompt for an image file name (FLOPPY.IMG, for example) and then disk drive (A:). From a Linux command line, execute

    dd if=[imagefilename] of=/dev/fd0

    In either case, the target diskette will be over-written with the image.

SETTING UP FLOPPYFW:

You need to edit the file CONFIG in the root directory of the floppyfw diskette. This is an ordinary FAT diskette, so you can do the editing under DOS, Windows, OS/2, Linux, or whatever, using whatever text editor makes you comfortable. The following steps are necessary to get a running system:

  1. If you will have a DHCP-style dynamic IP address (e.g., Austin RoadRunner) uncomment the OUTSIDE_IP=DHCP line and comment out the OUTSIDE_IP= line. If you have a static IP address, leave the commenting alone and fill in OUTSIDE_IP= with the address you've been assigned by your provider. If you're using PPPoE, see the instructions that come with that version of FLOPPYFW.
  2. Set OUTSIDE_DEV=eth0
  3. Comment out OUTSIDE_NETMASK and OUTSIDE_BROADCAST lines if you're using DHCP or PPPoE; otherwise leave them alone.
  4. Change the "INSIDE..." lines to what we decided:
    INSIDE_IP=192.168.1.1
    INSIDE_DEV=eth1
    INSIDE_NETMASK=255.255.255.0
    INSIDE_BROADCAST=192.168.1.255

    Note: The NETMASK is magic - leave it at 255.255.255.0. The INSIDE BROADCAST value is more magic - make sure it keeps that "255" on the end.

  5. Set DEFAULT_GATEWAY=eth0. The gateway is the conduit for the internal machines to talk to the outside world.
  6. Set NAME_SERVER_IP lines to those appropriate for your service. (For Austin RoadRunner, they are 24.93.35.32, 24.93.35.33, and possibly 24.93.35.64.) Ask your service provider if necessary. (Nameservers are vitally necessary. They translate a domain name (www.yahoo.com, for example) into the corresponding IP address (216.32.74.50, in this case) that TCP/IP needs.)
  7. Save CONFIG back onto the floppy.

    Now that the editing is complete:

  8. Since it's a FAT diskette, the regular DOS/WINDOWS "diskcopy" will work to make a backup of your working diskette.
  9. Write-protect your working diskette! FLOPPYFW doesn't ever write anything to the diskette, and in fact the diskette doesn't even have to be in the drive after boot is complete. This provides an extra layer of safety - if you ever think your running copy of FLOPPYFW might have been compromised, simply hit the RESET button on the firewall computer and re-load a fresh copy from the "pure" diskette. (Note - on your computer this might be labelled the "Windows Compatibility" button instead. Same thing.)
  10. Connect your machines as shown in the diagram, using straight-through patch cables for all connections if you're using a hub, and a crossover connection if you're only trying to protect a single machine. (Note - if you're connecting via a hub, all connections are via the "standard" ports, not the uplink port.)
  11. Put the disk in your prepared firewall machine (see next section) and boot.

That's all there is to it.

CLIENT SETUP:

Each client machine (Windows, Linux, or whatever) must be set correctly. The details vary depending on the OS, but in general you go to the Control Panel or equivalent, select TCP/IP Networking, and then make the following settings:

HARDWARE SETUP:

I recommend getting inexpensive ISA 10-bt Ethernet cards, not least because your proposed machine probably doesn't have PCI slots but ought to have two empty ISA slots. There is no good reason for plug-and-play or for PCI in a minimal system like this; they just add to the cost. The faster 10/100 Ethernet cards might be useful if you plan to transfer large amounts of data around your internal network, but as of now all cable and DSL "modems" use only the lower speed.

If you can, get cards WITH JUMPERS to allow the base address and interrupt to be set manually. Otherwise you'll have to either round up a DOS diskette so you can boot to A: and run the manufacturer's setup program, or plug the cards into another (DOS/Win) computer and run the setup. Many people have recommended the jumpered ADDTRON AE-200 cards available for $13 each from Altex Electronics here in Austin. They are even PnP at that price, although you won't use the PnP feature. In any case, make sure your cards are "NE2000 compliant" and you'll avoid several possible problems.

BTW, here are representative prices from the Altex catalog for other purchases you might need to complete this project. They stock a 5-port Ethernet hub for $27 and an 8-port version for $36. Ethernet 10Base-T patch cables, aka CAT-5 (don't ask, but that's what you want) are available in many lengths and colors; prices range from $3.40 (3-foot) upwards. Their price algorithm seems to be that every extra four feet will cost you another dollar. Fifty or hundred-foot runs are perfectly feasible with 10-bt Ethernet if necessary. (These cables have an 8-connector modular plug at each end - the same design as ordinary telephone cord plugs but wider.)

Incidentally, try to get a hub with at least two or three more ports than your existing "box count." For one thing, the darn things have a habit of multiplying, and for another, it is certainly good hospitality to have empty jacks when friends come over bearing laptops. :-)

Set the base addresses and interrupts to values not used by any other adapters. For the kind of machine suitable for FLOPPYFW in the first place, there probably aren't too many possible conflicts, but this can require a little trial and error. As a starting point, I'm using base addresses 300 and 360, interrupts 10 and 12, and they don't conflict with anything else on my 486, so they might work for you, too. If not, try addresses 320 or 340, and if interrupt 10 or 12 doesn't work, try 11 and then 5.

The only real trick is, which card winds up eth0 and which eth1? The card with the lower address will be eth0, but it's easy to lose track. If so, a quick way to find out is to connect another computer (via the hub or a crossover cable) to one or the other, boot the FLOPPYFW diskette, and then issue the command "ping 192.168.1.1" from the command line on the other machine. If the FLOPPYFW machine responds, then you have found eth1. Otherwise, switch the connection to the other NIC and try again. (If neither one responds, then you got troubles.) When you've found eth1, mark it, and mark the other one eth0. As indicated in the diagram, connect eth0 to the internet and eth1 to the hub or single box to be protected. PS - If you issued that "ping" from a Linux command line, press CTRL-C to stop it. :-)

By default, the FLOPPYFW firewall function plays it safe and doesn't pass much of anything to the internal boxes. If you need to run an inbound service like FTP or TELNET, you'll need to modify FLOPPYFW's default rules. See the "IPCHAINS Howto" link at the floppyfw home page for the gory details. Note that by default FLOPPYFW doesn't affect outbound FTP or TELNET, although IPCHAINS can be configured to monitor outbound as well as inbound traffic if necessary.

FLOPPYFW also has nothing to do with direct interactions between your local machines. The data path there runs from client to hub to client without ever passing through the firewall. These machines can have as little or as much protection against each other as you see fit to install ON THE CLIENTS. They can share files, printers, or whatever in safety because they are not directly accessible from the big, bad outside world unless you modify FLOPPYFW's default rules.

Under normal running conditions, FLOPPYFW does not produce any useful messages to the screen, and it doesn't need a keyboard. I recommend you temporarily attach both until you're comfortable, though, just so you can reassure yourself there are no error messages. (Some BIOSs require a keyboard be connected during the boot process (i.e., the infamous "No Keyboard Attached - Press F1 to Continue" message), but often there is a BIOS setup option so this check can be disabled.)

Time Marches On

[081402] There have been continual updates to FLOPPYFW since the above presentation, but all is essentially still true. I strongly recommend going to the site and downloading whatever they say their current version is. One convenient addition is a DHCP server on the firewall itself, so client machines can now be assigned IP addresses and DNS addresses without their having to be hard-coded. An even bigger change is actually a change in Linux itself — the IPCHAINS program for specifying firewall rules has been replaced by the (much easier to use) IPTABLES program instead. Again, you don't need to know anything about this program unless you choose to change the default rules for your particular situation.

Prices have come down, too. 10/100bt Ethernet cards can now be purchased for less than $10, and if your do-it-yourself gene is defective, several brands of ready-to-go router/firewall combos are available from Altex, CompUSA, or Fry's for well under a hundred.

Good luck.

John Dierdorf

Last modified 08-14-2002.