Setting up a Floppy-based Firewall with floppyfw

Floppyfw allows you to set up a firewall that runs off a floppy disk. The hardware requirements to use it are minimal. It requires only a 386sx or better PC with two network interface cards, a 1.44 MB floppy drive and 12 MB of RAM. If you have a system with less than 12 MB of memory and no FPU, you can use the earlier 1.0 series of floppyfw, which will be maintained by the developer.

The instructions that follow apply to building floppyfw on a Linux system. They include the steps I followed in creating a particular firewall, but hopefully, may be of use to someone else as well.

I downloaded the latest version of floppyfw from http://www.zelow.no/floppyfw/download.html. On a Linux system, I then used the dd command to create a bootable floppy disk from the floppyfw-current.img file I downloaded. I then used the mcopy command to copy the config file from the DOS-formatted disk to the /tmp directory on the system where I edited it and then copied it back to the floppy again with mcopy. You could instead edit the file with notepad on a Windows system, if you wished.

dd if=floppyfw-current.img of=/dev/fd0 bs=72k
cd /tmp
mcopy a:config
vi config

I wanted both sides of the firewall to have static IP addresses, rather than addresses dynamically assigned by a DHCP server, so I changed the lines referring to the assignment of the outside IP address and other network information by DHCP. I also changed the addresses for the inside of the firewall, i.e. the side facing my LAN to match what I was actually using on the LAN.

Original ValuesNew Values
External Side of Firewall
#OUTSIDE_IP=OUTSIDE_IP=10.0.6.50
OUTSIDE_IP=DHCP#OUTSIDE_IP=DHCP
OUTSIDE_NETMASK=OUTSIDE_NETMASK=255.255.255.240
OUTSIDE_NETWORK=OUTSIDE_NETWORK=10.0.6.48
OUTSIDE_BROADCAST=OUTSIDE_BROADCAST=66.22.186.63
Internal Side of Firewall
INSIDE_IP=10.42.42.1INSIDE_IP=192.168.0.1
INSIDE_DEV=eth1INSIDE_DEV=eth1
INSIDE_NETWORK=10.42.42.0INSIDE_NETWORK=192.168.0.0
INSIDE_NETMASK=255.255.255.0INSIDE_NETMASK=255.255.255.240
INSIDE_BROADCAST=10.42.42.255INSIDE_BROADCAST=192.168.0.15
Miscellaneous
DEFAULT_GATEWAY=DEFAULT_GATEWAY=10.0.6.1
NAME_SERVER_IP1=NAME_SERVER_IP1=10.0.6.5
NAME_SERVER_IP2=NAME_SERVER_IP2=64.83.0.10
HOSTNAME=floppyfwHOSTNAME=floppyfw
DOMAIN=floppyfwsecured.commydomain.com

After making the above changes to the config file, I copied it back to the floppy and deleted the copy in the /tmp directory.

mcopy config a:
rm config

I then edited firewall.ini to set up the particular firewall rules I needed. I copied the file to the /tmp directory on a Linux system and edited it with the vi editor, but you could also edit the file with notepad on a Windows system, since the floppyfw diskette is DOS-formatted.

mcopy firewall.ini a:
vi firewall.ini

I did want to have SSH access to a server on the inside of the firewall so I modified the line SERVER_IP=10.42.42.42 by replacing the default IP address of 10.42.42.42 with the address of the internal system functioning as an SSH server. I then removed the comment character, "#", from the beginning of the iptables lines below (don't remove the one at the beginning of "# SSH:"):

# SSH:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to ${SERVER_IP}:22
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT

I then saved the changes and used mcopy to copy the modified firewall.ini file back to the floppy

mcopy firewall.ini a:

Download Sites:

floppyfw Download
MoonPoint Download

References:

  1. Build a Floppy Firewall
    By Andreas Meyer
    Sysadmin - The journal for Unix and Linux systems administrators
    January 2001