Barring anymore suggestions/changes, this FAQ is ready to submit.
Feedback?
************************ START OF FAQ *********************************
***************************************
** Choosing LEAF Version FAQ **
***************************************
By Lynn Avants aka Guitarlynn
with plenty of help from other developers
The LEAF (Linux Embedded Appliance Firewall) project is one of my
favorite IT tools. Do you need a small Linux distribution that will
scale down to a single floppy disk? That is expandable to span several
floppies or a flash disk? One that doesn't require a hard-drive? Do you
want a firewall that you can make from old spare parts or find laying
out
in the trash or a friends garage that will offer you more protection
than
a low priced commercial firewall without too much effort? Do you desire
the flexibility of adding VPN, ssh2, and other services to such a
device?
Do you desire something to use as a "thin-client" or a terminal client
operating system? Then one of the LEAF versions is probably just what
you've been looking for.
The suggested minimum requirements for LEAF are as follows:
A 486DX33 with 16 Meg's of RAM for floppy versions and 24 Meg's of RAM
for the cdrom versions. Either two network cards for cable/DSL users or
A network card and modem for dial-up/IDSN users will be required to make
the necessary network connections. These minimums should provide you
with
a sound and stable piece of equipment that won't require a monitor or
keyboard. A few people have reported having running LEAF boxes that
haven't been touched in close to a year or more (in fact I had one
myself,
though a recent upgrade required me to restart it).
For idea on how LEAF should perform on your hardware, 486 systems can
typically route 3-6 MBits/s, more than enough for the average
cable-modem/xDSL connection. Users with a PPPoE connection or a VPN
gateway (both CPU intensive) will likely see speed increases using a
Pentium-1 class system. Another big advantage to most Pentium systems
is
the availability of PCI slots, allowing the use of modern, inexpensive
(and easy to configure!) PCI network cards. As a cable user myself
running
straight DHCP, a 486DX2 has provided me with maximum possible bandwidth
for
my connection.
The major difference between LEAF distributions and your regular Linux
distributions is that LEAF is "embedded" Linux. This means that the
system runs on a virtual disk in RAM, which is fast and safe from data
loss on the boot/configuration disk(s) if the system crashes. Dachstein
and Oxygen are configurable to run on virtually any type of disk you
can
throw at it. Some people have built half-rack 2U
router/bridge/firewalls
and servers out of LRP. An interesting point of LEAF is part is run on a
write-protected floppy or a stand-alone cdrom setup, if the machine is
compromised, you can just restart it and it is back to the original
setup.
All parts are common PC hardware typically, so you can always find and
buy
hardware for it if something goes bad.
Dachstein
-The brand new release of Charles Steinkuehler's, who with his last
release (EigerStein), is probably the most used branch of all LRP-based
distro's in the last year or two. He picked up Matthew Grant's
"mountain" branch and started "extending scripts" to make Mr. Grant's
release easier to use and add more function.
This is generally the choice version for those new to LEAF, being that
90% of the configuration is in one file (network.conf) and includes a
dhcp server, a DNS cache-proxy, a web-based system monitor, and SSH
(on the cdrom version) on the default disk. VPN passthrough is also
configurable and working with IPSec and PPTP protocols. Dachstein
can be used as a masquerading firewall, a non-masquerading firewall,
or a non-firewalling router.
The cdrom version of Dachstein has just been released (cd-v1.0.2).
Charles is one of the primary developers at LEAF. This is what I use
for my firewall at home.
Oxygen
-David Douthitt is another of LEAF's primary developers with his
incredible Oxygen branch. Although Oxygen can do all the firewall,
routing, and bridging that almost all LRP derivatives do, he has taken
a different direction in having Oxygen work best as a miniature scale
"jack-of-all-trades" distro. Scalable from a single floppy to a full 7
in the floppy release, he has just released the Oxygen-cdrom that
works more like a full-fledged distro running on a LEAF system that
includes development tools for LEAF and documentation that other LEAF
version do not. Oxygen is using a 2.2.19 kernel now and a 2.4 series
kernel is in testing with iptables on the development cdrom. Advanced
features such as network booting, thin client setup, machine rescue,
and network monitoring are built-in. The cdrom version also has a LEAF
developer's kit on it if you feel the need to make something for LEAF
that isn't already available. I always have Oxygen available for use
when I need an outstanding tool or something more specialized than what
normally comes on Dachstein or other LEAF/LRP releases. It should also
be noted that Oxygen does not come with a firewall in the image. If you
want to use one with Oxygen, you have excellent choices from the LEAF
supported ones later in this FAQ.
LRP-the Original
-Dave Cinege's original LRP release. This is not part of the LEAF
project, but mentioned out of respect of being the base that the LEAF
versions came from. Development has been rather slow, but the upcoming
"Butterfly" release (LRPv4.0) may come someday. If it does, most hints
have pointed in the direction that it will not be anything like the
earlier releases. The most recent has been 2.9.8 which uses either a
2.0.x or 2.2.x kernel. This distro is the best as a regular router and
tool-kit distro. LRP 2.9.x is supported by some members and developers
on LEAF,and also on the distro's own domain at
http://www.linuxrouter.org .
LRP 2.9.8 is available on the LEAF site in the Old Releases section.
FIREWALL APPLICATIONS DEVELOPED AND/OR SUPPORTED ON LEAF
The firewall programs listed below will run with LEAF and are supported
on the leaf-user mailing list by the respective authors.
Echowall Firewall
-Author Scott Best describes the target user of EchoWall is the
beginner to intermediate user of LRP/LEAF systems who wants a
solid foundation with a *high level* customization capability.
See, echoWall contains pre-setups for 35 applications that
require firewall and port-forward customizations: NetMeeting, VNC,
Asheron's Call, UnReal Tourney, PPTP, etc. A user would simply
have to tell echoWall what apps they want to run, and on what
machine, and the scripts handle the rest. If you need extra
configuration that is not included in the 'list', you will
likely be better off using a firewall tool that does.
EchoWall is supported on the LEAF user mailing list.
Seattle Firewall
-Author Tom Eastep has indicated that "Seawall grew without any firm
ideas about what it should (and should not) be. I built the original
Seawall scripts because I needed a firewall for my own home office
and made them available to others who had similar requirements."
At its core, Seawall is a masquerading (NAT) gateway and it works
poorly
(or not at all) if you try to make it do something different. If I
had to define a target user for Seawall today, it would be a beginning
to intermediate Linux user with a single (static or dynamic) network
IP address" (to the internet). Seattle Firewall is supported on both
http://lists.sourceforge.net/mailman/listinfo/seawall-user and on the
leaf-user mailing list.
Seattle Firewall will work with many 2.2.x ipchains major
distributions,
including LEAF.
RCF Linux Firewall
Known as "rc.firewall", this is a modularized firewall tool that
supports over 50 network services. It is a extremely configurable
tool that will run on most all major distro's (including LEAF
of course) and all 2.0.x, 2.2.x, and 2.4.x ipchains systems.
Jean-Sebastien Morisset is the project author and is frequently
heard of on the LEAF mailing lists. This is a choice for a more
experienced user that desires to run a many services.
Shorewall Firewall ****NOTE**** WILL NOT WORK ON LEAF....YET!!!
-This is a 2.4.x kernel firewall (iptables) that is also written by
Tom Eastep. Tom describes Shorewall as:
"With Shorewall (which only runs on 2.4 kernels), I have attempted to
provide
a very flexible firewall framework at the expense of making it more
difficult
for newbies to use. This approach was prompted by my frustration about
all of
the things that Seawall can't do well. With Shorewall, I really don't
have a
target user in mind -- I've tried to make it handle all of the various
(reasonable) requirements that I've seen since getting involved with
firewalls.
To address the needs of the newbie, I have recently added parameterized
sample configurations for one-, two- and three-interface setups. With
these,
the user replaces some of the Shorewall configuration files with files
from
the appropriate sample then edits /etc/shorewall/params to match their
configuration. This makes it simple to set up simple configurations and
follows the design principle that "it must be simple to do simple
things"."
This is currently not used on LEAF, until LEAF moves into a 2.4.x
kernel.
A few 2.4.x test kernels and a iptables package have been seen in
testing
at this time, but not into a beta of any kind. It won't work on
LEAF...YET!
************************ END OF FAQ **********************************
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
