Linux Floppy Firewall

Home
Cyrus-IMAP
RH 7.2 & reiserfs
RV-7A Project
Civil Liberties
Dog Stuff
DeCSS
Floppy Firewall
Webcam
Dynamic DNS
NUT UPS Cable
Repair Tips
Web site generator
Christianity
Links

I recently reorganized my network layout to provide better security. Central to this plan was the creation of a boot floppy that would act as a router and masquerade box for my internal network. At the time I was running RedHat 6.1 and wanted the floppy to closely mirror the RedHat initialization process. Since then, I have upgraded the disk to the 2.4.0 kernel and iptables. Due to space restrictions, this disk no longer closely mirrors the RedHat initialization process; although it does provide a useful model of a *very minimal* linux system. Here are some notes about my effort and a copy of what I came up with. You can also download a copy of my bootdisk and the creation scripts. If you try to get it working and run into problems, feel free to e-mail me.

Read the Bootdisk-HOWTO. My work is largely based off what I learned from that document.

The boot process goes like this:
  • The BIOS performs it's POST (Power-On Self Test)
  • The computer seeks to the first sector of the floppy. It either finds the start of a kernel, or LILO. If it finds the kernel, it loads it in. If it finds LILO, then LILO is run which then loads the kernel. The benefit of using LILO is that you can specify more boot-time options than if you just load the kernel. This is particularly important if you want to use a higher density format than the standard 1.44MB format. The boot loader that is part of the kernel cannot use these high density formats. LILO can.
  • Once the kernel is loaded in, it will start to load the root filesystem into the ramdisk. The kernel knows where to find this root filesystem based on a value you poke into the kernel image using the rdev utility. It is possible to store the kernel on one floppy and have the root filesystem on another floppy. That way, after the kernel loads, the computer will prompt you to insert another disk that contains the root filesystem. This is a good idea if you are really pressed for space. You can set this behavior with the rdev utility. It seemed like a bad idea to have a two disk set, though since I planned on using the floppy for a router, firewall, and masquerading box. I'd hate for the power to go out and then come back on without my knowing about it. The computer would be waiting forever for the second disk and I'd never know about it...especially since I wasn't planning on having a monitor hooked up to it. My only indication would be that my connection to the internet would stop working.
  • After the root filesystem is loaded, the kernel runs /sbin/init. Whatever is in that location will get run. If you created a little "hello world" program in C, compiled it, and renamed it to /sbin/init it would run and you would get hello world on your screen. Fortunately the actual /sbin/init that comes with Linux does a lot more than that.
  • Init looks in the file /etc/inittab to find out what it should do. In RedHat, it runs three things.
  • First, it runs/etc/rc.d/rc.sysinit. This only does a couple things that were important to me. It mounts the filesystems (including /proc), and sets the hostname (not really important, but looks nice). In order for it to mount the filesystems, you need to have the mount executable (/bin/mount) and the filesystems table (/etc/fstab). To set the hostname, you obviously need to have the hostname executable (/bin/hostname). In order to try to stay RedHat-ish, I chose to store the hostname in the /etc/sysconfig/network file that RedHat normally stores it.
  • Second, it runs the runlevel script/etc/rc.d/rc. It does this by passing an argument to the script that indicates what runlevel to switch to. For the purpose of my bootdisk, runlevels were pretty much irrelevant, so I specified in /etc/inittab that init should just call /etc/rc.d/rc without passing any arguments. That script, in turn, loads up all the systems and daemons that are needed. Namely, it starts up networking, gets system logging running, and , and finally runs my rc.local file. Currently rc.local doesn't do anything, but I left it in there since it seemed handy.
  • Thirdly, /sbin/init runs my shell. Due to space restrictions, I had to do away with mingetty and login. Essentially, you just get a shell prompt.

© 1999-2003 by
Mike Cencula
All rights reserved.

[ Powered By Debian Linux ]