Bering and Bering uClibc are kissing cousins, so what you find in the original Bering docs are relevant to Bering uClibc. Any differences are noted in the uClibc docs.
Check out:
http://leaf.sourceforge.net/doc/guide/binstall.html - Bering Install guide
http://leaf.sourceforge.net/doc/guide/busers.html - Bering Users Guide
http://leaf.sourceforge.net/doc/guide/buc-install.html - Bering-uClibc Installation Guide
http://leaf.sourceforge.net/doc/guide/buc-user.html - Bering-uClibc User's Guide
As far as your requirements, I think you'll find either to be up to snuff, with the exception there is no web based configuration at this time. All CLI baby....
Don't forget to backup your disk after making changes, as they will be lost upon reboot if you don't.
Good Luck
Tony
Calvin Webster wrote:
Well, I've gotten no responses from the list so I think I'm going with the "Bering-uClibc" distribution since it seems to be more actively maintained than most of the others and apparently can handle the multiple interfaces I'll need. Hopefully, someone will chime in with some pointers when they get the time.
From what I've found so far, there is precious little "real"documentation on installation, configuration, and implementation. A nice HTML or PDF User Guide would be nice.
Thanks in advance for any suggestions. :-)
--Cal Webster
On Tue, 2004-03-16 at 18:17, Calvin Webster wrote:
I've been looking over the LEAF distros for a candidate to build a set of border firewall/routers. They are to replace existing devices built with PC hardware and commercial DOS-based firewall software.
I have several questions. Here are a few to start:
1. Given the details below, which distro would be most appropriate? 2. Given the firewall/routing requirements, which dynamic routing protocols would be recommended. 3. Suggestions on configuring IPSEC VPNs over the untrusted networks?
I have given an outline of the project below. This is a fictitious network, but representative of the real project. Details of infrastructure have been obfuscated, but the outline describes project parameters.
Please let me know if I've left out anything.
Thanks!
--Cal Webster
There are 4 devices, one in each building at our site. Two of the new firewalls will run on the older hardware, while the other two will run on recently purchased hardware stored in DiskOnChip. Eventually, I want to replace all older platforms with newer machines and run them from DiskOnChip or straight Flash memory. I have some 40 GB hard drives installed in the new machines on which I plan to build the custom kernels and setup the services for testing.
Old Hardware Platform:
Generic Desktop Chassis AMD K6-2 336 MHz CPU 1MB cache 128 MB RAM 2 GB HDD 1.44 FDD 4 3c905 NICs
New Hardware Platform:
Cyber Research 2U rack-mount passive backplane chassis CPTD CEL/COP-850 All-In-One Single Board Computer PIII 850 MHz 100 MHz front side bus Intel 82558 10/100-TX (integrated) 768 MB RAM 256 MB DiskOnChip 1.44 FDD USB 4 3C905-TX NIC's
I began building one new machine with RedHat Linux 8 but had to put the project on hold after finally getting the drivers to work with DiskOnChip.
Here is a summary of the functionality required:
Firewall: stateful packet inspection
NAT/PAT
IPSEC Auth
IPSEC VPN tunneling
Router:
BGP
RIP
Logging to external syslog server
https/ssh configuration/management tool
Port Knocking to trigger remote vpn/ssh access
Optional user authentication to access Internet
Block outbound traffic by IP,subnet,user,port
Block all inbound traffic from untrusted networks except that which is
initiated from inside
Allow all traffic between trusted networks.
Fastest available link should be chosen when redundant paths exist.
Here is a sketch of the network:
DSL = 500 Kbps ADSL Link RF1 = 100 Mbps RF Wireless direct point-to-point link RF2 = 1.5 Mbps RF Wireless direct point-to-point link ISP = 2 Mbps Cable ISP PLANn = Fast Ethernet Private LANs within buildings at site.
[PLAN2] [PLAN2] [Remote User]
| | |
[PLAN1] | [PLAN1] | |
| | | | [Internet]
| | | | |
Building A Building B |
[Firewall 1]<-------------[RF1]------------->[Firewall 2]<--->[ISP]
^ \ / ^
\ \ / /
\ [DSL] [DSL] /
\ \ / / \ \ [Internet] / /
\ \ | / /
\ \ | / /
\ \ | / /
\ \ | / /
[RF1] \ | / [RF1]
\ [Corp Network] /
\ ^ /
\ | /
\ | /
\ [DSL] /
\ | /
\ | /
\ | /
Building C [Firewall 3]---[PLAN1]
^ \
| \--[PLAN2]
|
[RF2]
|
|
Building D [Firewall 4]
| |
| |
[PLAN1] |
|
[PLAN2]
Notes:
1. There are 2 Internet connections, a wideband cable ISP connection (bldg B) and a slower, more problematic DSL connection (bldgs A,B, and C) through the corporate intranet. 2. All RF links use VPN tunneling directly to private LANs. 3. The 3rd high-speed RF link is redundant (not yet installed) 4. DSL links function as backup VPN tunnels between building PLANs. 5. All PLANs must have routes to all other PLANs 6. Only PLANs and VPNs are trusted networks - all others are "external", untrusted connections. 7. No external ports are open on any firewalls - only VPN tunnels. 8. No routes will be advertised on external ports. 9. All PLANS must have routes to Internet (bldg B)
Port Configurations:
Firewall 1 [PLAN1] Static, non-routable IP Addr - Local Private Network [PLAN2] Static, non-routable IP Addr - Local Private Network [DSL ] Static non-routable IP Addr - Link to Corp intranet, through to Internet [RF1 ] Static non-routable IP Addr - VPN links to Bldgs B and C
Firewall 2 [PLAN1] Static, non-routable IP Addr - Local Private Network [PLAN2] Static, non-routable IP Addr - Local Private Network [ISP ] Static, publicly routable IP Addr. - Internet Link [DSL ] Static non-routable IP Addr - Link to Corp intranet, through to Internet [RF1 ] Static non-routable IP Addr - VPN links to Bldgs A and C
Firewall 3 [PLAN1] Static, non-routable IP Addr - Local Private Network [PLAN2] Static, non-routable IP Addr - Local Private Network [DSL ] Static non-routable IP Addr - Link to Corp intranet, through to Internet [RF1 ] Static non-routable IP Addr - VPN links to Bldgs A and B
Firewall 4
[PLAN1] Static, non-routable IP Addr - Local Private Network
[PLAN2] Static, non-routable IP Addr - Local Private Network
[RF2 ] Static non-routable IP Addr - VPN link to Bldg C
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
