[lug] An idea...
Ian S. Nelson
nelson_ at attglobal.net
Fri Aug 11 20:10:43 MDT 2000
PC Drew wrote:
> Here's an idea that I'm gonna throw out for comments, cheap shots, or
> one-liners from everyone.
> This whole topic of using linux as a firewall got me thinking.
> Linksys came up with the Cable Modem/DSL firewall that I use...why
> don't I make and market my own?
> I've got a few problems with setting up a linux box as my firewall.
> Namely, I want to have a firewall that's sole purpose in life is to
> protect my network. That then means that I can't use it to write
> software. I can't use it as a "for fun" or "for learning" machine,
> because it serves a very important role for me. That means that I
> have to buy another computer to do this. That takes $$ and (more
> importantly) space in my small apartment.
> Why do I like the Linksys so much? Because it's small, cheap, and
> doesn't take any time to setup. What don't I like about it? I'm
> limited in what I can do with it.
> Why am I writing this email? Because I'm want people's thoughts about
> basically getting some small embedded linux machines, loading a VERY
> stripped down version of linux (i.e. Linux Router Project?), loading
> DHCP, NAT, firewall software, etc. And making a secure, easy to use,
> linux firewall appliance that's CHEAP.
> Also...who feels that they aren't able to VPN with their
> friends/neighbors/work easily and would like to? Well, this would be
> another feature of this firewall appliance. It would use SSH to VPN
> with whatever network the user wants. If the user so inclined, it
> would also allow the two networks to use the Network Neighborhood in
> Windows to share files (i.e. with samba).
> What are your thoughts? Does anyone have any experience with embedded
> linux appliances? Is it something that could be done inexpensively
> (the software would be free and GPLed, I'd donate my time to make
> these boxes so I'm referring to the hardware)?
> If anyone knows of a product like this, I'd appreciate the help
> getting my foot out of my throat.
I've been kicking this around a while. I'm building an embedded device
that runs Linux as my job now.. It's lowcost, it does internet, and a few
other things. I've never done any embedded stuff before (I come from big
computer land) so I'm learning a lot.
First off, it's *the* market right now. Full source is really really
nice. You can't talk about embedded it seems without Linux coming up.
Second, Linux generally doesn't fit in to what are commonly thought of as
embedded or real time devices. It is far larger than most RTOSes and the
hardcore embedded freaks are used to things like the ST20 and z80s, not
exactly the most linux friendly hardware. Still I think there is huge
potential in this arena, this isn't an embedded linux machine, it's a
type of "information appliance" "Embedded" is changing and it's
becoming all about the internet..
For firewalling, there are cheaper ways to go than linux. And cost is
about the only factor in this equation. If that's all you want you can
get away with an extremely low power processor, just about any OS with a
TCP/IP stack that's small, no drive, maybe 1M of memory and a couple of
ethernet ports. A 386ex might be a choice, a z80 is a choice, motorola
has a great line of parts for this. The killer with linux is memory
(Good luck making it work well in 1M,) firewalling doesn't take much and
you kernel would. So while this is a cool design I think there are
better ways to go with this product.
I've got two different broadband connections to my house, the big problem
with both is IP addresses, I would like 5 or 6, I get 2 with DSL and 1
with my other connection. So NAT or IPMASQ would be nice. Another
reason to run a big OS on the beast, Linux or BSD will do this kind of
thing. It's a more sophisticated protocol and so Linux seems more
reasonable than Vx-Works on QNX or something.
Something else that has bothered me from time to time is I own a couple
domains but my DSL provider is a real hard-on about adding them to the
DNS. So I have to run my own DNS and have internic point to it. It's
not a problem but I can't promise that my hardware will always be on and
I don't really want to run a DNS server and administrate it. Linux and
BSD will run DNS... I can't be alone in the desire to have a brick that
does DNS and DNS caching.
Another thing is mail serving. If I've got a domain it should be able
to handle emails. I can setup qmail, postfix, or sendmail and make it
work and even have reasonable trust in its security but I don't really
want to if I don't have to.... I don't want to dedicate a real machine
to this stuff. And since we're doing all this why not put apache on there
too? This is where I think the action will be. Internet appliances and
drop in turn-key servers are huge in the business world, IBM, Colbalt,
Compaq, and others are all making them. I think home users are going to
want that kind of thing too.
I think the thing to do is take an NSC MediaGX1 or a strong-arm 110 or a
Toshiba MIPS 3149 or a PowerPC 40x type processor, low power, low cost,
integrated. 16M of RAM, a 1 or 2 GB drive, a 2MB flash, a pair of
10/100s and put Linux and some slick software on it to allow it to be
easily configured. And you could realistically sell it for under $200.
There are some logistics to work out, you don't really want your firewall
being your DNS, Mailserver, and web server but with some slick
configuring and some chroot magic you could probably make it work
reasonably well. This is something Windows and GNU/Linux users could get
use out of. The cool thing is this device won't have a fan, except for
the drive it won't won't draw but a spark of electrical current and it
would be the size of a brick.
If it was slick, you'd buy it. Configure it with a web browser, plug it
in and put it under you desk and forget about it. Very cool. With
something like Zope novices can generate slick web pages, upload
pictures, do that sort of stuff all from a web browser interface. You
could realistically string a printer off it too if you wanted. The key
is putting enough function in it to differentiate it from a very low
cost, low-power firewall but not so much that building a PC is cheaper.
If it was really slick, even though it would be on 24-7 you could have
some code do the DHCP thing and then talk to internic when you get a new
IP addr from your cable modem...
I shouldn't and can't go in to specifics but our device uses a MediaGX1
(300Mhz pentium class procssor, or there about) as big a drive as we can
afford, 16M of ram, USB, it has mpeg chips, and some other goodies and
it's in the $300-$400 price range.
I really think that if Joe Consumer could buy a brick, plug it in to his
lan, spend 30 minutes setting it up and have a domain, a mailserver, ip
masq, a squid proxy (? parent block stuff?) and a firewall with
reasonably good security all for ~$200 then you could have a pretty
compelling product. It's sort of geek heavy right now but more and more
people are wanting that kind of thing.
If you want, we can chat more off the list about this. I'm happy with
what I'm doing but if someone is interested I'd love to discuss it and
I'd even give some code..
Ian S. Nelson __o
Nelson_ at attglobal.net.NOSPAM \<,
More information about the LUG