This is a bit long, so here are the main points.
* Coyote Linux makes setting up a firewall way too easy.
* The Linuxcare Bootable Business Card rocks.
* My firewall uses 32 watts.
* Yet another failed tech startup.
* Diverse tales of hardware acquisition and assembly.
Dragon Singer, I don't know if you're still wrestling with your
firewall or not, but you might want to check out Coyote. When
it works, it works really slick.
The story so far: Bob and Anne moved in February, and ordered DSL
weeks before they moved. It was finally installed on March 20th,
right on schedule. (Yay, PacBell!) The DSL is actually from a
company called SBC, who, I think, do DSL for QWest, too. SBC sent me
a USB DSL modem with a windows-only driver. I called them up and
asked them for a different modem. I told them I had a linux box and
they were unimpressed, and then I said, "Oh, I mean it's a Mac", so
they sent me a second DSL modem with an Ethernet interface. The
Ethernet interface is apparently wired backwards, because it uses a
regular cable, not a crossover cable.
So, on March 20th, I went to work (I'm working at a really fun client
this month, and I'll tell you about them later), and Anne, whose
company went bust (see below) and is not working, installed the
software SBC provided on her Windows box. She now has a little button
on the bottom of the screen she can click to initiate a connection.
Very rinky-dink. From this, we learned that our DSL uses PPPoE and
what our name servers are, and other info that would be useful.
Enter Coyote Linux.
I had looked at their web site a couple of weeks ago, and I saw that
Coyote Linux does exactly one thing: a NAT firewall for people with
dialup, DSL or cable modems. It requires two Ethernet cards -- one
for the LAN, and one for the outside world. It boots off a floppy.
No hard disk required. Coyote is based on LRP, the Linux Router
Project.
That's exactly what I want except... I was going to use an old laptop
for the firewall, with PCMCIA Ethernet cards. Coyote does not support
PCMCIA.
So I installed Debian on the laptop, and was getting ready to set up
all the configuration stuff the hard way. It was my first Debian
install, so I spent a lot of time on it. Did most of it at a friend's
house because he has IDSL.
Meanwhile...
Anne was working at Geocast Network Systems. Geocast was a startup
that was building a consumer box that is sort of a caching HTTP proxy.
It would receive continuous streaming buttloads of data from TV
sideband or satellite, store the most useful stuff on its hard disk,
and feed what you ask for to your PC through the USB port, for viewing
in your web browser. Heavy emphasis on streaming video, since that's
what other Internet connections can't deliver very well. Windows
only, but the box ran NetBSD. There's more to their product than
that, but that's the gist. Anyway, the technology was nearly there,
but the funding dried up, and Geocast shut down. Geocast is selling
off its assets, which includes a lot of computer equipment. Employees
are getting first dibs on the equipment, which is a nice consolation
prize. (-:
Geocast built a bunch of little computers they called blocks, which
were prototypes for the consumer box. The block is a standard, low
end PC with a Celeron, an Ethernet, and a big disk, in a very small
tower case. Four PCI slots. Nothing special, but Geocast was
selling them cheap, so we got two. Without the big disks. The block
also does not have a CD-ROM or floppy.
Yesterday, Anne stopped in a local Mom 'n' Pop computer store (it had
a big banner in the window that said, "We Know LINUX" (-: ) and picked
up a floppy drive and a noname NIC. Then she picked up the blocks.
Now we have all the pieces to build a Coyote Linux firewall.
The hardest problem was identifying the Ethernet cards. The one we
bought had a chip labelled RTL8139, which I recognized as a Realtek,
because I have a Realtek in jogger-egg. The one that came in the
block I did not recognize. I called my friend who had done kernel
hacking at Geocast (the same friend who lent me the IDSL connection),
and he told me his cubemate had hacked on the Ethernet driver, but he
didn't remember what the chip was.
So. I took the CD-ROM drive out of jogger-egg and put it into the
block, then booted the Linuxcare Bootable Business Card. BBC is cool
-- it's a Linux distro that runs off the CD. Useful for rescue or
extremely temporary Linux installations. So I booted BBC, and I
looked in /proc/pci. /proc/pci told me that the Ethernet card's
vendor is Macronix and the model was some five digit number that I've
since forgotten. (-:
I grepped through the kernel sources for Macronix, and found it
mentioned in tulip.c. Also found the five digit number in tulip.c.
So it's a DEC Tulip clone.
Now I have all the information I need to install Coyote.
I installed the floppy drive in the block. This was the part where I
got dumb. There are two connectors on the floppy cable, and two ways
to install either connector onto the drive. I tried all four
combinations. Unfortunately, one of the combinations apparently
erased the floppy I was using, so it never did boot. :-( Finally I got
smart and went to look at how jogger-egg is cabled, since it was still
on the operating table from its recent CD-ROMectomy, then I re-burned
the floppy (had to lowlevel format it before Windows would talk to
it again).
Windows? What was on that floppy? What's going on here?
You can install Coyote from a floppy and configure it after you
install it, or you can use the Coyote Wizard on Windows to configure
the firewall before you make the floppy.
I downloaded the Wizard. After all, the Windows box was the one on
the DSL line. (-: The wizard is very slick. You have to know several
facts about your installation before you start. Specifically, you
have to know:
What type of Ethernet cards you have.
How to connect to your ISP. In my case, that meant
PPPoE, and my username and password.
Your ISP's name servers' IP addresses.
Your domain name.
Your LAN's private address space.
Whether you want the firewall to serve DHCP.
The second floppy booted. I plugged in the DSL line. It took a few
seconds, but DSL came up. I set up a mini-LAN to test with (a hub and
one laptop). On the laptop, my initial exchange was a lot like this.
# dhcpcd eth0
# ping www.google.com
PING google.lb.google.com (216.239.35.100): 56 data bytes
64 bytes from 216.239.35.100: icmp_seq=0 ttl=55 time=35.8 ms
64 bytes from 216.239.35.100: icmp_seq=1 ttl=55 time=27.2 ms
...
You can't ask for anything sweeter than that.
We have a power meter. We can plug something into it and watch how
much power it uses. It does long-term averaging and will report
kWH's used and stuff. I unplugged the firewall (no hard disk, no
need to shutdown cleanly), and plugged it into the power meter.
It uses 50 watts during boot, then settles down to 32-33 watts
steady state. I'd already unplugged the DSL and mini-LAN, so I
don't know yet how network traffic affects the power. Probably
not much.
You can configure Coyote through the console, but I took off the
monitor, keyboard, and mouse, so I'll have to hook those up to it if I
want to change any of its settings. You can also enable telnet into
the box, but I didn't, for security reasons.
When you log into Coyote, you come up in a thing called lrcfg (Linux
router config), which is a menu-based front end to all the config
files. It just drops you into an editor so you can edit, e.g.,
/etc/dhcpd.conf. Nice, but not earthshattering. When you exit
lrcfg, you're at a bash prompt.
Future Plans
Now I need to reconfigure the AirPort to stop serving DHCP.
Unfortunately, to do that, I have to take the AirPort to a friend's
house because he has a Mac that can configure it right. (Yes, this is
the same friend who has the IDSL and hacked kernels for Geocast. He
is also the same friend who has seven disk drives sitting at our house
because Anne picked them up for him at Geocast's fire sale. Hi, Brad!
(-: )
We need a home DNS server. I don't know whether to try to put that
onto the firewall or keep a second machine running all the time at 32
watts (Hey, we live in California. We might have to start paying the
wholesale rate for our electricity some day. (-: )
I'd also like to poke a hole through the firewall so we can ssh into
our home machines from the rest of the world. Coyote lets you add
arbitrary ipchain rules, so that shouldn't be too hard.
Since we have a dynamic IP address, I'd like to set up dynamic DNS to
point to us. Then we can ssh in by hostname, not IP.
Finally, I'd like to set up a DMZ between home and the Internet, and
put up some servers. Specifically, I'd like to do a photo server for
our digital photos. Maybe an SMTP server, too. But that's a long
term plan.
Anyway, if you read this far, you must be bored. Get up and take
a walk. (-:
Obligatory URLs
http://www.coyotelinux.com/
http://www.linuxrouter.org/
http://www.google.com/
http://www.dyndns.org/
--
Bob Miller K<bob>
kbobsoft, LLC, software consulting
http://kbobsoft.com [EMAIL PROTECTED]
