How-To: Build your own network firewall
Network appliances don't always offer all the firewalling features a user needs -- you know, the advanced port blocking and security procedures we'd like to keep our little home network fiefdoms secure. In today's How-To we'll show you how to build a firewall out of an old PC with a live Linux CD and some spare ethernet cards. It's the perfect use for that machine with the dead hard drive (or no hard drive at all).
For this How-To you'll need:
- A suitable PC, with a CD-ROM and USB port - we suggest a Pentium II
- At least two Ethernet ports (onboard + a second card or similar)
- A blank CD-R to burn the system CD
- USB thumb drive, floppy disk or hard drive.
In order to use a firewall, we need to layout the basic network design. Our example network should be fairly typical. Internet access is via cable modem. Behind the firewall, we'll have an internal LAN that contains workstations, a home file server, some TiVos and a VOIP adapter. We'll also have a public wireless network that's separated from everything else. We'll be putting our wireless access point on the DMZ network, which is usually where people like to keep web servers. In our case, we're keeping the the wireless network separated from the internal LAN. The DMZ network is not allowed to access the LAN without special rules, so it's ideal.
Make the CD:
We're using Devil Linux for this how-to. Download the latest release from one of the download mirrors
. (Grab the stable release) Bunzip2 is built into OS X, but you might need something like ZipGenius
to open the .bz2 on a Windows box.
Inside the unzipped directory, you'll find the bootcd.iso file you need to make the bootable system CD. Burn the image to a piece of reliable media with your favorite software.
Devil Linux is a 'live' linux distribution - it runs directly from a CD-ROM. It's unique because it stores its configuration on a separate disk like a floppy drive or a USB thumb drive. The PC doesn't need a hard drive, just a CD-ROM drive to boot from.
For our network, we'll need three network ports on the firewall. We used an older four port PCI 10/100 Ethernet nic made by DEC that uses the 'tulip' module under linux. You'll need to know what kernel module (or driver) that the card(s) you're using needs. This used to mean digging through the kernel documentation, but today you can usually google for 'linux module' and card model. If you're buying new cards, double check the modules before you buy or you may be in for a frustrating time. The four port card is handy because it only uses one PCI slot and the same kernel module for each card.
Boot it up:
Once the box is together, connect a monitor and keyboard. Pop your boot CD into the drive and power it up.
One bit of warning, we had trouble getting the system CD to boot in a first CD drive we tried. Swapping out the drive fixed it. If everything is going well, you should see the boot screen above. It will time out and boot. The default resolution should work just fine on most systems.
You'll be treated to a view of Tux the penguin as the system boots up. When it's finished, you'll get a login prompt.
At the prompt, enter 'root' as the user name. When it asks for a password, just hit enter and you'll get a prompt. At the prompt, type 'setup' and hit enter.
The setup menu is pretty easy to navigate. Arrow keys move up and down, Enter activates an item and the spacebar will select items.
The basic configuration menu allows you to change the hostname, timezone, etc. Once you're happy go back and enter the Services menu from the main menu.
The services menu is where you can choose which network services the box will run all the time. Devil Linux is very flexible. For now you may wish to enable SSHD to allow SSH shell connections from within your network and NAMED so the firewall can provide local DNS services. To be super secure, you can leave them both off. Go back to the main menu and enter the Network menu when you're done.
Select the 1NIC option to configure the first network card.
The first interface will be called eth0. This is the port that you need to connect to your DSL or cable modem. If you didn't find out what module you need for your ethernet cards, now's the time to look it up. Enter the module menu option.
Navigate the never ending module (driver) list and use the space bar to select the module you need. It's tulip for us. Hit OK when you're done.
At the eth0 menu, enter the DHCP option to select yes or no. If you hit no, you can enter the ip information. If you have a static ip address from your provider, you can enter it there. Otherwise, hit yes and head back to the Networking menu and enter the 2NIC menu selection.
The second NIC will be called eth1. Select the module as you did in the first - even if it's the same one. This is the network port you'll connect to your ethernet switch, hub or to a workstation with a crossover cable. The default address is fine, but you may wish to change it.
If you want to provide network addresses via DHCP to the local ethernet network, set the option to yes. Do the same for the 3NIC and configure eth2 if you need/want it. Head back to the Networking menu.
Out of the box, Devil has no firewall rules set up. Select the DMZ3FW if you're using three network ports or the FW2 if you're only using two ports. Either of these will install a basic firewall rule set to use two or three nics.
Whichever you choose, you'll get this screen. Select yes to install the rules. Back to the main menu.
If you decided to provide dynamic ip addresses on your LAN, you can adjust the settings from the DHCP option of the main menu. By default it will provide 20 IPs for dynamic hosts from the bottom of the IP range.
Now that everything is set up, you can use the LoginPW option of the main menu to set a new root password. Alternatively you can just type 'passwd' at the command prompt.
Finally, we need to save all of our configuration changes. You can do this from the menu or by typeing 'save-config' at the command prompt. It will compare current configs with saved configs and ask you if you really want to save your changes. You must save configuration changes after you change anything on the system. Otherwise they're lost at the next reboot. Happily, if you screw up something, rebooting will erase your mistake.A few tips:
If you want to use a hard drive to store the configuration, you'll need to create and format an ext2 partition on the drive using fdisk and mke2fs. Once you do that, the start up will find the partitioned hard drive and let you use it to store the configuration. The firewall rules are kept in '/etc/init.d/firewall.rules' and running '/etc/init.d/firewall start' will reload them.