Well, I've gotten no responses from the list so I think I'm going with the "Bering-uClibc" distribution since it seems to be more actively maintained than most of the others and apparently can handle the multiple interfaces I'll need. Hopefully, someone will chime in with some pointers when they get the time.
>From what I've found so far, there is precious little "real" documentation on installation, configuration, and implementation. A nice HTML or PDF User Guide would be nice. Thanks in advance for any suggestions. :-) --Cal Webster On Tue, 2004-03-16 at 18:17, Calvin Webster wrote: > I've been looking over the LEAF distros for a candidate to build a set > of border firewall/routers. They are to replace existing devices built > with PC hardware and commercial DOS-based firewall software. > > I have several questions. Here are a few to start: > > 1. Given the details below, which distro would be most appropriate? > 2. Given the firewall/routing requirements, which dynamic routing > protocols would be recommended. > 3. Suggestions on configuring IPSEC VPNs over the untrusted networks? > > I have given an outline of the project below. This is a fictitious > network, but representative of the real project. Details of > infrastructure have been obfuscated, but the outline describes project > parameters. > > Please let me know if I've left out anything. > > Thanks! > > --Cal Webster > > > > There are 4 devices, one in each building at our site. Two of the new > firewalls will run on the older hardware, while the other two will run > on recently purchased hardware stored in DiskOnChip. Eventually, I want > to replace all older platforms with newer machines and run them from > DiskOnChip or straight Flash memory. I have some 40 GB hard drives > installed in the new machines on which I plan to build the custom > kernels and setup the services for testing. > > Old Hardware Platform: > > Generic Desktop Chassis > AMD K6-2 336 MHz CPU > 1MB cache > 128 MB RAM > 2 GB HDD > 1.44 FDD > 4 3c905 NICs > > New Hardware Platform: > > Cyber Research 2U rack-mount passive backplane chassis > CPTD CEL/COP-850 All-In-One Single Board Computer > PIII 850 MHz > 100 MHz front side bus > Intel 82558 10/100-TX (integrated) > 768 MB RAM > 256 MB DiskOnChip > 1.44 FDD > USB > 4 3C905-TX NIC's > > I began building one new machine with RedHat Linux 8 but had to put the > project on hold after finally getting the drivers to work with > DiskOnChip. > > > > Here is a summary of the functionality required: > > Firewall: > stateful packet inspection > NAT/PAT > IPSEC Auth > IPSEC VPN tunneling > Router: > BGP > RIP > Logging to external syslog server > https/ssh configuration/management tool > Port Knocking to trigger remote vpn/ssh access > Optional user authentication to access Internet > Block outbound traffic by IP,subnet,user,port > Block all inbound traffic from untrusted networks except that which is > initiated from inside > Allow all traffic between trusted networks. > Fastest available link should be chosen when redundant paths exist. > > > Here is a sketch of the network: > > DSL = 500 Kbps ADSL Link > RF1 = 100 Mbps RF Wireless direct point-to-point link > RF2 = 1.5 Mbps RF Wireless direct point-to-point link > ISP = 2 Mbps Cable ISP > PLANn = Fast Ethernet Private LANs within buildings at site. > > [PLAN2] [PLAN2] [Remote User] > | | | > [PLAN1] | [PLAN1] | | > | | | | [Internet] > | | | | | > Building A Building B | > [Firewall 1]<-------------[RF1]------------->[Firewall 2]<--->[ISP] > ^ \ / ^ > \ \ / / > \ [DSL] [DSL] / > \ \ / / > \ \ [Internet] / / > \ \ | / / > \ \ | / / > \ \ | / / > \ \ | / / > [RF1] \ | / [RF1] > \ [Corp Network] / > \ ^ / > \ | / > \ | / > \ [DSL] / > \ | / > \ | / > \ | / > Building C > [Firewall 3]---[PLAN1] > ^ \ > | \--[PLAN2] > | > [RF2] > | > | > Building D > [Firewall 4] > | | > | | > [PLAN1] | > | > [PLAN2] > > > Notes: > > 1. There are 2 Internet connections, a wideband cable ISP connection > (bldg B) and a slower, more problematic DSL connection (bldgs A,B, and > C) through the corporate intranet. > 2. All RF links use VPN tunneling directly to private LANs. > 3. The 3rd high-speed RF link is redundant (not yet installed) > 4. DSL links function as backup VPN tunnels between building PLANs. > 5. All PLANs must have routes to all other PLANs > 6. Only PLANs and VPNs are trusted networks - all others are "external", > untrusted connections. > 7. No external ports are open on any firewalls - only VPN tunnels. > 8. No routes will be advertised on external ports. > 9. All PLANS must have routes to Internet (bldg B) > > Port Configurations: > > Firewall 1 > [PLAN1] Static, non-routable IP Addr - Local Private Network > [PLAN2] Static, non-routable IP Addr - Local Private Network > [DSL ] Static non-routable IP Addr - Link to Corp intranet, through to > Internet > [RF1 ] Static non-routable IP Addr - VPN links to Bldgs B and C > > Firewall 2 > [PLAN1] Static, non-routable IP Addr - Local Private Network > [PLAN2] Static, non-routable IP Addr - Local Private Network > [ISP ] Static, publicly routable IP Addr. - Internet Link > [DSL ] Static non-routable IP Addr - Link to Corp intranet, through to > Internet > [RF1 ] Static non-routable IP Addr - VPN links to Bldgs A and C > > Firewall 3 > [PLAN1] Static, non-routable IP Addr - Local Private Network > [PLAN2] Static, non-routable IP Addr - Local Private Network > [DSL ] Static non-routable IP Addr - Link to Corp intranet, through to > Internet > [RF1 ] Static non-routable IP Addr - VPN links to Bldgs A and B > > Firewall 4 > [PLAN1] Static, non-routable IP Addr - Local Private Network > [PLAN2] Static, non-routable IP Addr - Local Private Network > [RF2 ] Static non-routable IP Addr - VPN link to Bldg C -- --Cal ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
