Based on feedback and a few personal edits, I submit rev.2 of a LEAF Version FAQ for more feedback, opinions, etc.......
It has been modified quite a bit. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! **********************Start of FAQ************************************ *************************************** ** Choosing LEAF Version FAQ ** *************************************** By Lynn Avants aka Guitarlynn The LEAF (Linux Embedded Appliance Firewall) project are one of my favorite IT tools. Do you need a small Linux distribution that will scale down to a single floppy disk or is expandable to span several floppies or a flash disk and doesn't require a hard-drive? Do you want a firewall that you can make from old spare parts or find laying out in the trash or a friends garage that will offer you more protection than a low priced commercial firewall without too much effort? Do you desire the flexibility of adding VPN, ssh2, and other services to such a device? Do you desire something to use as a "thin-client" or a terminal client operating system? Then one of the LEAF versions is probably just what you've been looking for. The suggested minimum requirements for LEAF are as follows. A 486DX33 with 16 Meg's of RAM for floppy versions and 24 Meg's of RAM for the cdrom versions. Either two network cards for cable/DSL users or A network card and modem for dial-up/IDSN users will be required to make the necessary network connections. These minimums should provide you with a sound and stable piece of equipment that won't require a monitor or keyboard. A few people have reported having running LEAF boxes that haven't been touched in close to a year or more (in fact I had one myself, though a recent upgrade required me to restart it). For idea on how LEAF should perform on your hardware, an old Pentium 1 with suggested 24Meg's of RAM can saturate a T1 WAN connection running PCI network cards. It should be noted that PPPoE users have noticed sizable bandwidth gains running a Pentium1 166-233 Mhz boxes, but as a cable user myself running straight DHCP, a 486DX2 has provided me with maximum possible bandwidth for my connection. The major difference between LEAF distributions and your regular Linux distributions is that LEAF is "embedded" Linux. This means that the system runs on a virtual disk in RAM, which is fast and safe from data loss on the boot/configuration disk(s) if the system crashes. Dachstein and Oxygen are configurable to run on virtually any type of disk you can throw at it. Some people have built half-rack 2U router/bridge/firewalls and servers out of LRP. An interesting point of LEAF is part is run on a write-protected floppy or a stand-alone cdrom setup, if the machine is compromised, you can just restart it and it is back to the original setup. All parts are common PC hardware typically, so you can always find and buy hardware for it if something goes bad. Dachstein -The brand new release of Charles Steinkuehler's, who with his last release (EigerStein), is probably the most used branch of all LRP-based distro's in the last year or two. He picked up Matthew Grant's "mountain" branch and started "extending scripts" to make Mr. Grant's release easier to use and add more function. This is generally the choice version for those new to LEAF, being that 90% of the configuration is in one file (network.conf) and includes a dhcp server, a DNS cache-proxy, a web-based system monitor, and SSH (server and client) on the default disk. VPN passthrough is also configurable and working with IPSec and PPtP protocols. Dachstein can be used as a masquerading firewall, a non-masquerading firewall, or a non-firewalling router. A cdrom version of Dachstein has just been released (cd-v1.0.2). Charles is one of the primary developers at LEAF. This is what I use for my firewall at home. Oxygen -David Douthitt is another of LEAF's primary developers with his incredible Oxygen branch. Although Oxygen can do all the firewall, routing, and bridging that almost all LRP derivatives do, he has taken a different direction in having Oxygen work best as a miniature scale "jack-of-all-trades" distro. Scalable from a single floppy to a full 7 in the floppy release, he has just released the Oxygen-cdrom that works more like a full-fledged distro running on a LEAF system that includes development tools for LEAF and documentation that other LEAF version do not. Oxygen is using a 2.2.19 kernel now and a 2.4 series kernel is in testing with iptables on the development cdrom. Advanced features such as network booting, thin client setup, machine rescue, and network monitoring are built-in. The cdrom version also has a LEAF developer's kit on it if you feel the need to make something for LEAF that isn't already available. I always have Oxygen available for use when I need an outstanding tool or something more specialized than what normally comes on Dachstein or other LEAF/LRP releases. LRP-the Original -Dave Cinege's original LRP release. This is not part of the LEAF project, but mentioned out of respect of being the base that the LEAF versions came from. Development has been rather slow, but the upcoming "Butterfly" release (LRPv4.0) may come someday. If it does, most hints have pointed in the direction that it will not be anything like the earlier releases. The most recent has been 2.9.8 which uses either a 2.0.x or 2.2.x kernel. This distro is the best as a regular router and tool-kit distro. LRP 2.9.x is supported by some members and developers on LEAF,and also on the distro's own domain at http://www.linuxrouter.org . LRP 2.9.8 is available on the LEAF site in the Old Releases section. FIREWALL APPLICATIONS DEVELOPED AND/OR SUPPORTED ON LEAF The firewall programs listed below will run with LEAF and are supported on the leaf-user mailing list by the respective authors. Echowall Firewall Author Scott Best describes the target user of EchoWall is the beginner to intermediate user of LRP/LEAF systems who wants a solid foundation with a *high level* customization capability. See, echoWall contains pre-setups for 35 applications that require firewall and port-forward customizations: NetMeeting, VNC, Asheron's Call, UnReal Tourney, PPTP, etc. A user would simply have to tell echoWall what apps they want to run, and on what machine, and the scripts handle the rest. If you need extra configuration that is not included in the 'list', you will likely be better off using a firewall tool that does. EchoWall is supported on the LEAF user mailing list. Seattle Firewall Author Tom Eastep has indicated that "Seawall grew without any firm ideas about what it should (and should not) be. I built the original Seawall scripts because I needed a firewall for my own home office and made them available to others who had similar requirements. At its core, Seawall is a masquerading (NAT) gateway and it works poorly (or not at all) if you try to make it do something different. If I had to define a target user for Seawall today, it would be a beginning to intermediate Linux user with a single (static or dynamic) network IP address" (to the internet). Seattle Firewall is supported on both http://lists.sourceforge.net/mailman/listinfo/seawall-user and on the leaf-user mailing list. Seattle Firewall will work with many 2,2,x ipchains major distributions, including LEAF. RCF Linux Firewall Known as "rc.firewall", this is a modularized firewall tool that supports over 50 network services. It is a extremely configurable tool that will run on most all major distro's (including LEAF of course) and all 2.0.x, 2.2.x, and 2.4.x ipchains systems. Jean-Sebastien Morisset is the project author and is frequently heard of on the LEAF mailing lists. This is a choice for a more experienced user that desires to run a many services. Shorewall Firewall ****NOTE**** WILL NOT WORK ON LEAF....YET!!! This is a 2.4.x kernel firewall (iptables) that is also written by Tom Eastep. Tom describes Shorewall as: With Shorewall (which only runs on 2.4 kernels), I have attempted to provide a very flexible firewall framework at the expense of making it more difficult for newbies to use. This approach was prompted by my frustration about all of the things that Seawall can't do well. With Shorewall, I really don't have a target user in mind -- I've tried to make it handle all of the various (reasonable) requirements that I've seen since getting involved with firewalls. To address the needs of the newbie, I have recently added parameterized sample configurations for one-, two- and three-interface setups. With these, the user replaces some of the Shorewall configuration files with files from the appropriate sample then edits /etc/shorewall/params to match their configuration. This makes it simple to set up simple configurations and follows the design principle that "it must be simple to do simple things"." This is currently not used on LEAF, until LEAF moves into a 2.4.x kernel. A few 2.4.x test kernels and a iptables package have been seen in testing at this time, but not into a beta of any kind. It won't work on LEAF...YET! ####################### ## LRP COMMAND HELP ## ####################### This section is a short reference of the iproute2 commands and other tidbits of information that are commonly asked for by LEAF users. These may save you a little time. # start the lrp configuration applet lrcfg The network script will bring up or down any network card: # svi network Usage: network start|stop|reload network ifup|ifdown|ifreset eth0|eth1|eth2|all network ipfilter load|flush|reload network ipfilter list [input|output|forward|autofw|mfw|portfw] network ipfilter list masq|masquerade you can also use the net command # net Usage: net start|stop|reload net ifup|ifdown|ifreset eth0|eth1|eth2|all net ipfilter load|flush|reload net ipfilter list [input|output|forward|autofw|mfw|portfw] net ipfilter list masq|masquerade IP COMMANDS - {ifconfig/route comparable commands} #ip address show - {ifconfig} #ip address add 1.2.3.4/24 broadcast 1.2.3.4 dev eth0 up - {ifconfig(options) eth0 up} #ip link set dev eth0 up - {ifconfig eth0 up} #ip route show - {route -n} #ip route add default via 1.2.3.4 - {route add gw -net 1.2.3.4} #ip route add nat 1.2.3.4/8 via 192.168.1.10 table (-f inet) #ip route add 192.168.0.0/24 via 192.168.0.1 dev eth0 [static route] #ip way - {arp -a -n} #ifcfg eth0 1.2.3.4/24 #netstat -i #netstat -r LOGS #/var/log/syslog #/var/log/messages ADDING MORE MODULES # mount -t msdos /dev/fd0 /mnt # cp /mnt/* /lib/modules # umount /mnt (or) umount msdos /mnt ADDING A NEW PACKAGE # lrpkg -i <packagename> *NOTE* Also add to syslinux.cfg or lrpkg.cfg on your boot device to load at boot. START FORWARDING (ROUTING) *NOTE* This should be automatically done with LEAF, this is FYI! #echo "1" > /proc/sys/net/ipv4/ip_forward MY COMMON NIC SETUPS #3c5x9 - set io=300,320 irq=10,11 with 3c5x9cfg DOS utility #ne io=300 - also load the "8390" module #smc-ultra io=300 irq=10 DUPLEX SETTINGS # half-duplex for connections to Cable/DSL Modems and hubs. (default) # full-duples for NIC-to-NIC, router, and most switch connections. # to set the SILENT_DENY (no logging) option to Dachstein Firewall. #SILENT_DENY="ProtoNumber_SourceAddress/Netmask_DestinationPort" #Netmask and DestinationPort are optional # rule in network.conf script to quit logging on certain packets SILENT_DENY="[protocol#]_[source ip address]/[netmask]_[destination port#] *note*-the netmask and destination port# are optional FIREWALL RUNNING RFC PRIVATE CLASS ADDRESS ON WAN CONNECTION # edit /etc/ipfilter.conf and comment out the applied line of the function: # #A function to filter out martian source addesses stop martians () { #RFC 1918/1617/1597 blocks $IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $* $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/24 -d 0/0 -l $* #then have it take effect with "svi network reload". *************************End of FAQ************************************ _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
