Saturday, March 27, 2010

Building a Firewall Appliance

Many years ago there was a post that stated you could take a Nokia IP330 firewall and load Smoothwall Linux on it to create your own freely licensed 1U rackmountable firewall.  Back then I bought an IP330 and it's been sitting in an unopened box ever since.  That's not a huge deal as it only cost me $50 and I didn't have any practical application for a real firewall.

This morning I got the bug.  I needed a project I could geek out on.  So, this was it.  I had searched periodically over the years and found that the original article was gone.  Thank goodness for Google's cache!

The process, simplified, goes like this:

  1. Download and burn Smoothwall Linux 3.0 SP1 (as of today).
  2. Remove the HDD from the Nokia IP330
  3. Attach the Nokia HDD to a surrogate PC that will be used for the installation
  4. Boot/Install
    1. Take the defaults until you're prompted for the basic security posture: open, mostly open or closed.  I chose closed.
    2. You'll be asked to choose the types of interfaces.  GREEN/RED is what you want.  It will default to GREEN/RED (ISDN or Modem), that's not what you want.

      During this process you have to configure your NICs.  The whole process only took me ~2 hours but 30 minutes of it was during this portion.  My surrogate PC had only one NIC, but the type we're choosing requires 2.  More on this in a minute.
    3. Go ahead and setup your LAN (Green) network.  I used and I set the firewall address to
    4. I set my External interface to DHCP so it would pickup an address from my existing internet router.
    5. At this point you can do CTRL-ALT-DEL and reboot the PC.  Unless you have 2 NICs you will not get past this point.  No worries.  It all works out in the end.

  1. Because of the hard reset in the middle of the process I did not get to setup any passwords.  When you're prompted to login do so with 'root' and no password.
  2. Set the CONFIG_TYPE to 3 in /var/smoothwall/ethernet/settings
  3. Configure each of your GREEN, ORANGE and RED settings to match this:








  4. Next edit /etc/rc.d/ Look in the file for the end of the for loop:

    forNIC in 0 1 2 3; do

    You need to add MAC address entries for each of the NICs.  These are the ones used by the original article, but my IP380 booted and had Checkpoint's IPSO installed so I was able to capture my real MAC addresses:
    ifconfig eth0 hw ether 00:a0:8e:e:50:78
    ifconfig eth1 hw ether 00:a0:8e:e:50:7c
    ifconfig eth2 hw ether 00:a0:8e:e:50:80
  5. Next we need to change /etc/inittab.  Replace the line 1:2345 with:

    1:2345:respawn:/sbin/agetty -h ttyS0 9600 vt100
  6. Finally, type lilo at the prompt and press enter followed by shutdown -h now.
After your PC shuts down remove the HDD and put it back in the Nokia and boot it.  You'll need to be console connected to the device so you can run "setup" to set the 3 passwords used on the machine.

You can now surf to the new Smoothwall box via it's Green IP address on port 81!  Login with admin and the password you entered during "setup."

Tuesday, March 2, 2010

Keeping Track of Files

Ever wanted to make sure the same file, in this case hosts file, is on all the PCs you manage at the office, but you don't have the budget for expensive automated software distribution tools?  You can do this with DOS batch or .VBS files.

Make a directory that we have permissions to write into at login.  In that directory create a marker file so we can successfully check to see if the directory exists.  Then we use the same technique to check the version of our hosts file!

Here's the code ...

@echo off
echo *****************************************************************
echo * Executing Login Scripts.  Use of this equipment is restricted *
echo * to authorized employees only.                             *
echo *****************************************************************
echo .



cd c:\
cd c:\patches
dir > NULL


IF EXIST "c:\patches\hosts.20070430" GOTO END

echo Updating Hosts file

cd %SYSTEMROOT%\system32\drivers\etc
copy hosts hosts.old /Y
copy \\FileServer1\Sys\Patches\hosts . /Y > c:\patches\hosts.20070430

echo Done.


We create the directory if it doesn't exist as previously discussed.  Then we look for a hosts file revisioned 20070430 (yyyymmdd).  If the file doesn't exist then we: 1. create a backup of our existing hosts file and 2. copy the new hosts file from our network store sending the output to our marker file in c:\patches.