[leaf-user] Re: Which Distro for This Firewall/Router?

[Calvin Webster]

Well, I've gotten no responses from the list so I think I'm going with
the Bering-uClibc distribution since it seems to be more actively
maintained than most of the others and apparently can handle the
multiple interfaces I'll need. Hopefully, someone will chime in with
some pointers when they get the time.

From what I've found so far, there is precious little real
documentation on installation, configuration, and implementation. A nice
HTML or PDF User Guide would be nice.

Thanks in advance for any suggestions. :-)

--Cal Webster

On Tue, 2004-03-16 at 18:17, Calvin Webster wrote:
 I've been looking over the LEAF distros for a candidate to build a set
 of border firewall/routers. They are to replace existing devices built
 with PC hardware and commercial DOS-based firewall software.
 
 I have several questions. Here are a few to start:
 
 1. Given the details below, which distro would be most appropriate?
 2. Given the firewall/routing requirements, which dynamic routing
 protocols would be recommended.
 3. Suggestions on configuring IPSEC VPNs over the untrusted networks?
 
 I have given an outline of the project below. This is a fictitious
 network, but representative of the real project. Details of
 infrastructure have been obfuscated, but the outline describes project
 parameters.
 
 Please let me know if I've left out anything.
 
 Thanks!
 
 --Cal Webster
 
 
 
 There are 4 devices, one in each building at our site. Two of the new
 firewalls will run on the older hardware, while the other two will run
 on recently purchased hardware stored in DiskOnChip. Eventually, I want
 to replace all older platforms with newer machines and run them from
 DiskOnChip or straight Flash memory. I have some 40 GB hard drives
 installed in the new machines on which I plan to build the custom
 kernels and setup the services for testing.
 
 Old Hardware Platform:
 
 Generic Desktop Chassis
 AMD K6-2 336 MHz CPU
 1MB cache
 128 MB RAM
 2 GB HDD
 1.44 FDD
 4 3c905 NICs
 
 New Hardware Platform:
 
 Cyber Research 2U rack-mount passive backplane chassis
 CPTD CEL/COP-850 All-In-One Single Board Computer
 PIII 850 MHz
 100 MHz front side bus
 Intel 82558 10/100-TX (integrated)
 768 MB RAM
 256 MB DiskOnChip
 1.44 FDD
 USB
 4 3C905-TX NIC's
 
 I began building one new machine with RedHat Linux 8 but had to put the
 project on hold after finally getting the drivers to work with
 DiskOnChip.
 
 
 
 Here is a summary of the functionality required:
 
 Firewall: 
 stateful packet inspection
 NAT/PAT
 IPSEC Auth
 IPSEC VPN tunneling
 Router:
 BGP
 RIP
 Logging to external syslog server
 https/ssh configuration/management tool
 Port Knocking to trigger remote vpn/ssh access
 Optional user authentication to access Internet
 Block outbound traffic by IP,subnet,user,port
 Block all inbound traffic from untrusted networks except that which is
 initiated from inside
 Allow all traffic between trusted networks.
 Fastest available link should be chosen when redundant paths exist.
 
 
 Here is a sketch of the network:
 
 DSL = 500 Kbps ADSL Link
 RF1 = 100 Mbps RF Wireless direct point-to-point link
 RF2 = 1.5 Mbps RF Wireless direct point-to-point link
 ISP = 2 Mbps Cable ISP
 PLANn = Fast Ethernet Private LANs within buildings at site.
 
[PLAN2] [PLAN2] [Remote User]
   |   | |
 [PLAN1]   |   [PLAN1] | |
|  |  || [Internet]
|  |  || |
 Building A   Building B|
 [Firewall 1]-[RF1]-[Firewall 2]---[ISP]
 ^  \/ ^
 \   \  /  /
  \ [DSL][DSL]/
   \   \  /  / 
\   \   [Internet]   /  /
 \   \  |   /  /
  \   \ |  /  /
   \   \| /  /
\   \   |/  /
   [RF1] \  |   /[RF1]
  \   [Corp Network]  /
   \^/
\   |   /
 \  |  /
  \   [DSL]   /
   \|/
\   |   /
 \  |  /
Building C 
   [Firewall 3]---[PLAN1]
 ^\
 | \--[PLAN2]
 |
   [RF2]
 |
 |
 Building D 
[Firewall 

Re: [leaf-user] Re: Which Distro for This Firewall/Router?

[Tony]

HI Calvin,

Bering and Bering uClibc are kissing cousins, so what you find in the 
original Bering docs are relevant to Bering uClibc.  Any differences are 
noted in the uClibc docs.

Check out:
http://leaf.sourceforge.net/doc/guide/binstall.html - Bering Install guide
http://leaf.sourceforge.net/doc/guide/busers.html - Bering Users Guide
http://leaf.sourceforge.net/doc/guide/buc-install.html - Bering-uClibc 
Installation Guide
http://leaf.sourceforge.net/doc/guide/buc-user.html - Bering-uClibc 
User's Guide

As far as your requirements, I think you'll find either to be up to 
snuff, with the exception there is no web based configuration at this 
time.  All CLI baby

Don't forget to backup your disk after making changes, as they will be 
lost upon reboot if you don't.

Good Luck

Tony



Calvin Webster wrote:

Well, I've gotten no responses from the list so I think I'm going with
the Bering-uClibc distribution since it seems to be more actively
maintained than most of the others and apparently can handle the
multiple interfaces I'll need. Hopefully, someone will chime in with
some pointers when they get the time.
From what I've found so far, there is precious little real
documentation on installation, configuration, and implementation. A nice
HTML or PDF User Guide would be nice.
Thanks in advance for any suggestions. :-)

--Cal Webster

On Tue, 2004-03-16 at 18:17, Calvin Webster wrote:
 

I've been looking over the LEAF distros for a candidate to build a set
of border firewall/routers. They are to replace existing devices built
with PC hardware and commercial DOS-based firewall software.
I have several questions. Here are a few to start:

1. Given the details below, which distro would be most appropriate?
2. Given the firewall/routing requirements, which dynamic routing
protocols would be recommended.
3. Suggestions on configuring IPSEC VPNs over the untrusted networks?
I have given an outline of the project below. This is a fictitious
network, but representative of the real project. Details of
infrastructure have been obfuscated, but the outline describes project
parameters.
Please let me know if I've left out anything.

Thanks!

--Cal Webster



There are 4 devices, one in each building at our site. Two of the new
firewalls will run on the older hardware, while the other two will run
on recently purchased hardware stored in DiskOnChip. Eventually, I want
to replace all older platforms with newer machines and run them from
DiskOnChip or straight Flash memory. I have some 40 GB hard drives
installed in the new machines on which I plan to build the custom
kernels and setup the services for testing.
Old Hardware Platform:

Generic Desktop Chassis
   AMD K6-2 336 MHz CPU
   1MB cache
   128 MB RAM
   2 GB HDD
   1.44 FDD
4 3c905 NICs
New Hardware Platform:

Cyber Research 2U rack-mount passive backplane chassis
CPTD CEL/COP-850 All-In-One Single Board Computer
   PIII 850 MHz
   100 MHz front side bus
   Intel 82558 10/100-TX (integrated)
   768 MB RAM
   256 MB DiskOnChip
   1.44 FDD
   USB
4 3C905-TX NIC's
I began building one new machine with RedHat Linux 8 but had to put the
project on hold after finally getting the drivers to work with
DiskOnChip.


Here is a summary of the functionality required:

Firewall: 
   stateful packet inspection
   NAT/PAT
   IPSEC Auth
   IPSEC VPN tunneling
Router:
   BGP
   RIP
Logging to external syslog server
https/ssh configuration/management tool
Port Knocking to trigger remote vpn/ssh access
Optional user authentication to access Internet
Block outbound traffic by IP,subnet,user,port
Block all inbound traffic from untrusted networks except that which is
initiated from inside
Allow all traffic between trusted networks.
Fastest available link should be chosen when redundant paths exist.

Here is a sketch of the network:

DSL = 500 Kbps ADSL Link
RF1 = 100 Mbps RF Wireless direct point-to-point link
RF2 = 1.5 Mbps RF Wireless direct point-to-point link
ISP = 2 Mbps Cable ISP
PLANn = Fast Ethernet Private LANs within buildings at site.
  [PLAN2] [PLAN2] [Remote User]
 |   | |
[PLAN1]   |   [PLAN1] | |
  |  |  || [Internet]
  |  |  || |
Building A   Building B|
[Firewall 1]-[RF1]-[Firewall 2]---[ISP]
   ^  \/ ^
   \   \  /  /
\ [DSL][DSL]/
 \   \  /  / 
  \   \   [Internet]   /  /
   \   \  |   /  /
\   \ |  /  /
 \   \| /  /
  \   \   |/  /
 [RF1] \  |   /[RF1]