I wrote a FAQ concerning new users looking at which LEAF version
best fits their needs. This is submitted for comments, questions, and
corrections/improvements to the list.
Also, should Seattle Firewall, ShoreWall, and OpenWall be covered
in this FAQ? It wouldn't be a problem.
Is the command help also relevent to being included in this doc?
FAQ is below post.
--
~Lynn Avants
aka Guitarlynn
**********************Start of FAQ************************************
***************************************
** Choosing LEAF Version FAQ **
***************************************
By Lynn Avants aka Guitarlynn
The LEAF (Linux Embedded Appliance Firewall) project are one of my
favorite IT tools. Do you need a small Linux distribution that will
scale down to a single floppy disk or is expandable to span several
floppies, a flash disk, or a CD? Do you want a STRONG home firewall
that you can make from old spare parts or find laying out in the trash
or a friends garage? Do you need a cheap VPN gateway solution without
the thousands of dollars in licensing fees? Need something to use as a
"thin-client" or a terminal client? Then this is probably just what
you've been looking for.
Some old versions of LEAF can run on a 386SX, but for the more recent
versions/branches a 486DX33 with 16Meg's of RAM is suggested for a
floppy versions (24 Meg's for the cdrom versions) for cable modem users
and an old Pentium 133 with suggested 24Meg's of RAM should saturate a
T1 WAN connection unless you running an encrypted VPN gateway.
Dachstein and Oxygen are configurable to run not only on a floppy,
cdrom, or harddrive, but also flashdrives. Some people have built
half-rack 2U router/bridge/firewalls and servers out of LRP. The
coolest part is run on a write-protected floppy or a cdrom, if the
machine is compromised, you can just restart it and it is back to the
original setup...not even Cisco can guarantee that. All parts are
common PC hardware typically, so you can always find and buy hardware
for it if something goes bad. Another major difference between LEAF
distributions and your regular Linux distributions is that LEAF is
"embedded" Linux. This means that the system runs in a virtual disk in
RAM, which is the fastest once booted, and safe from system crashes if
they may occur because there is no data loss of the boot/configuration
disk(s).
Dachstein
-The brand new release of Charles Steinkuehler's, who with his last
release (EigerStein), is probably the most used branch of all LRP-based
distro's in the last year or two. He picked up Matthew Grant's
"mountain" branch and started "extending scripts" to make Mr. Grant's
release easier to use and add more functions. Dachstein is used the
most often as a firewall, which with his scripts, are likely to be the
strongest stock firewalls I know of without any prompted configuration.
It's fairly easy to setup if you know anything about networking and
actually read the README.txt file before trying to set the disk up.
When run as a router, Dachstein is equally as functional. SSL, IPSec, a
web-based monitor, a dhcp server, and web-proxy server are stock on
this version. A cdrom version of Dachstein is in full development and
is available for testing. Charles is one of the primary developers at
LEAF. This is what I use for my firewall at home.
Oxygen
-David Douthitt is another of LEAF's primary developers with his
incredible new Oxygen branch. Although Oxygen can do all the firewall,
routing, and bridging that almost all LRP derivatives do, he has taken
a different direction in having Oxygen work best as a miniature scale
"jack-of-all-trades" distro. Scalable from a single floppy to a full 7
in the present release, he is also in testing with an Oxygen cdrom that
will do more than I could think of explaining here. Shoot, the
floppy(s) release does more than I would think of listing here! At a
2.2.19 kernel now, a 2.4 series kernel is in testing with iptables and
an available choice on the development cdrom. Advanced features such as
network booting, thin client setup, machine rescue, and network
monitoring are built-in. The cdrom version also has a LEAF developer's
kit on it if you feel the need to make something for LEAF that isn't
already available. I always have Oxygen available for use when I need
an outstanding tool or something more specialized than what normally
comes on Dachstein.
LRP-the Original
-Dave Cinege's original LRP release. This is not part of the LEAF
project, but mentioned out of respect of being the base that the LEAF
versions came from. Development has been rather slow, but the upcoming
"Butterfly" release (LRPv4.0) should be out soon. The most recent has
been 2.9.8 which uses the 2.2.x kernel. This distro is the best as a
regular router and tool-kit distro. LRP is not supported on LEAF,
but rather on the distro's own domain at http://www.linuxrouter.org
###################################
## LRP COMMAND HELP 2.2.x kernels ##
###################################
This section is a short reference of the iproute2 commands and other
tidbits of information that are commonly asked for by LEAF users. These
may save you a little time.
# start the lrp configuration applet
lrcfg
The network script will bring up or down any network card:
# svi network
Usage: network start|stop|reload
network ifup|ifdown|ifreset eth0|eth1|eth2|all
network ipfilter load|flush|reload
network ipfilter list [input|output|forward|autofw|mfw|portfw]
network ipfilter list masq|masquerade
you can also use the net command
# net
Usage: net start|stop|reload
net ifup|ifdown|ifreset eth0|eth1|eth2|all
net ipfilter load|flush|reload
net ipfilter list [input|output|forward|autofw|mfw|portfw]
net ipfilter list masq|masquerade
IP COMMANDS
#ip address show - ifconfig
#ip address add 1.2.3.4/24 broadcast 1.2.3.4 dev eth0 up - ifconfig
(options) eth0 up
#ip link set dev eth0 up - ifconfig eth0 up
#ip route show - route -n
#ip route add default via 1.2.3.4 - route add gw -net 1.2.3.4
#ip route add nat 1.2.3.4/8 via 192.168.1.10 table (-f inet)
#ip route add 192.168.0.0/24 via 192.168.0.1 dev eth0 [static route]
#ip way - arp -a -n
#ifcfg eth0 1.2.3.4/24
#netstat -i
#netstat -r
LOGS
#/var/log/syslog
#/var/log/messages
LOADING EXTRA MODULES
# mount -t msdos /dev/fd0 /mnt
# mv /mnt/* /lib/modules
# umount /mnt (or) umount msdos /mnt
#echo "1" > /proc/sys/net/ipv4/ip_forward
MY COMMON NIC SETUPS
#3c5x9 - set io=300,320 irq=10,11 with 3c5x9cfg DOS utility
#ne io=300 - also load the "8390" module
#smc-ultra io=300 irq=10
DUPLEX SETTINGS
# half-duplex for connections to Cable/DSL Modems and hubs. (default)
# full-duples for NIC-to-NIC, router, and most switch connections.
# to set the SILENT_DENY (no logging) option to Dachstein Firewall.
#SILENT_DENY="ProtoNumber_SourceAddress/Netmask_DestinationPort"
#Netmask and DestinationPort are optional
# rule in network.conf script to quit logging on certain packets
SILENT_DENY="[protocol#]_[source ip address]/[netmask]_[destination
port#]
*note*-the netmask and destination port# are optional
FIREWALL RUNNING RFC PRIVATE CLASS ADDRESS ON WAN CONNECTION
# edit /etc/ipfilter.conf and comment out the applied line of the
function:
# #A function to filter out martian source addesses
stop martians () {
#RFC 1918/1617/1597 blocks
$IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/24 -d 0/0 -l $*
#then have it take effect with "svi network reload".
*************************End of FAQ************************************
guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net
If linux isn't the answer, you've probably got the wrong question!
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
