Lynn:
Heya; some quick feedback on your FAQ. Very qualitative
stuff, so take from it what you will. :)
> Also, should Seattle Firewall, ShoreWall, and OpenWall be covered
> in this FAQ? It wouldn't be a problem.
There's a fair parallel: choosing which firewall package
to use is similar to choosing what LEAF distro to use.
> The LEAF (Linux Embedded Appliance Firewall) project are one of my
> favorite IT tools. Do you need a small Linux distribution that will
> scale down to a single floppy disk or is expandable to span several
> floppies, a flash disk, or a CD?
I think you're touting the distro's flexibility here, but
I think most Linux distro's can claim to run from a CD. The very
small media (floppy, DoC) is really more impressive.
> Do you want a STRONG home firewall
> that you can make from old spare parts or find laying out in the trash
> or a friends garage?
Well...it's not as if you build it from paint cans and nerf
footballs. :) It does turn the doorstop of an old PC into something
that becomes one of the most important pieces of a broadband network,
though.
> Do you need a cheap VPN gateway solution without
> the thousands of dollars in licensing fees?
Akshally, the low-end LinkSys and Sonicwall stuff do VPN
passthru and one-notch up they do VPN endpoint, without the licensing
that (say) Cisco or Watchguard would charge.
> Some old versions of LEAF can run on a 386SX, but for the more recent
> versions/branches a 486DX33 with 16Meg's of RAM is suggested for a
> floppy versions (24 Meg's for the cdrom versions) for cable modem users
> and an old Pentium 133 with suggested 24Meg's of RAM should saturate a
> T1 WAN connection unless you running an encrypted VPN gateway.
That's a busy sentence. :) Content wise, the "old versions"
of LEAF were actually called LRP: LEAF didn't "start" until Eigerstein
really. Also, cable-modem users could fairly be called "cable/dsl modem
users". Lastly, the saturation capability is primarily a function of
whether the NIC is an ISA card or a PCI card, not so much the processor
speed. Any Pentium-1 class PCI-based machine with 24MB RAM could saturate
a T1, even with being a VPN endpoint.
> The
> coolest part is run on a write-protected floppy or a cdrom, if the
> machine is compromised, you can just restart it and it is back to the
> original setup...not even Cisco can guarantee that.
A very good point. However (based on recent experience), the
downside to a floppy system is the reliability: the disk will die after
a while, long before a HD would. So be careful of celebrating the
floppy part too much.
> All parts are
> common PC hardware typically, so you can always find and buy hardware
> for it if something goes bad.
I'd say a system suitable for LEAF costs about $50 to $100.
You may want to spell it out: 486 66MHz, 16MB RAM, no HD, 2 ethernet
NICs...maybe even a URL to a good site for used stuff cheap.
> Another major difference between LEAF
> distributions and your regular Linux distributions is that LEAF is
> "embedded" Linux. This means that the system runs in a virtual disk in
> RAM, which is the fastest once booted, and safe from system crashes if
> they may occur because there is no data loss of the boot/configuration
> disk(s).
I'd move this to near the top of the description. It is
fundamental to how LEAF works, really, and describes why the system
is primarily constrained by RAM siz.
> Dachstein
>
I'd point out here, or maybe above, that LEAF s primarily
used as a *masquerading* firewall, also called a NAT'ing firewall, or
a "firewall/router". it can be "just" a firewall too, sure, but
most people used it to masq. Also, I'd emphasize that Dachstien's
target user is the new-to-LEAF user, as it's optimized to get
working quickly by focusing 90-percent of the required configuration
into a single file: network.conf. It comes with no development tools,
but it packs all of the essential packages in: SSHd, VPN passthru,
DHCP client and server, DNS cache, a web-based monitor. Not sure what
you meant with "SSL". Lastly, the stock firewall is good, but it
requires a fair amount of TCP/IP know-how to customize, and it
tends to, IMO, log too many unimportant packet events which can
be disconcerting to a novice user.
> Oxygen
>
Oxygen is definitely for those who want more than a Linux
network appliance, but rather want a box that doubles as a full
fledged Linux system, complete with development tools.
> LRP-the Original
>
It's hard to know what to say about LRP. It's certainly
true that LEAF branched (pun!) out of LRP, in an effort to make
LRP systems more accessible and better supported. Dachstein is
really what Dave Cinege would have called an "idiot image" meaning,
"if your a Linux idiot (aka, new user), use this". Dave did some
great work to get LRP started, but he's not exactly known for
"playing well with others", and he ignored the contributions of
too many people for too long, and so LEAF had to happen.
LRP questions are *certainly* supported on the LEAF
mailing list, as the LRP list isn't that active with any good
support (I've been haunting it).
I've no idea of the development status of Butterfly. It's
been coming out Real Soon Now for 2 years.
> # mount -t msdos /dev/fd0 /mnt
> # mv /mnt/* /lib/modules
> # umount /mnt (or) umount msdos /mnt
I use "cp" instead of "mv". Also, you should mention
"lrpkg -i <package name>". I forget why I don't cd to /mnt and
run that from there, skipping the cp altogether...
Lastly, I'd add a pointer to the HOWTO of getting
Dachstein started The one which mentions setting up NIC driver
calls in /lib/modules and then navigating network.conf to get
it setup (start with eth0, choose DHCP or static, go on to eth1,
choose masq or firewall mode, etc).
A good start on the FAQ, thanks! Hope these comments
help at all.
-Scott
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
