Build a Floppy Firewall

Andreas Meyer

Here's how I turned an unused PC into a packet-filtering firewall using a package called floppyfw. The firewall boots off a single floppy, runs completely in RAM, and uses ipchains for the filter rules. It also does IP masquerading, port forwarding, and can log to a remote host using syslog. All this in a machine with as little as 8 MB of RAM and no hard drive!

floppyfw's author, Thomas Lundquist, describes it as a Linux "screening router with firewall capabilities". It boots a Linux kernel and comes with a minimal set of tools to get the job done. If you think about it, that's actually a feature. If a bad guy were to get into your firewall machine somehow, there won't be much for him to use against you. And since we're running completely on a RAM disk, a simple reboot from the floppy will restore the system to its original state.

As with many Linux projects, floppyfw has a do-it-yourself aspect. But I'll show you where I found a set of almost-ready-to-run filter rules, so you can quickly set up your own firewall.

Hardware

You probably have a suitable machine sitting around (or enough parts to build one). You will need a 386 or better, with:

• At least 8-MB RAM
• 3.5" floppy drive
• Video card
• Keyboard
• video monitor

Note that if you're going to run "headless", you'll only need the keyboard and monitor for setup and testing.

Install a pair of network cards. The following types are supported by floppyfw:

• 3Com 3c509
• NE2000 compatibles
• Tulip-based
• Intel EtherExpress PCI

Make sure each card has its own IRQ and memory address. That's simple to set if your network cards have jumpers on them. I used a pair of 3Com 3c509 cards. The first time I booted the machine, both cards came up at IRQ 10 and 0x300.