Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Journal Journal: Firewall Appliance pt 5

So, the firewall works well. I disconnected the fan, and now it's totally silent. My powermac is loud, but I never realized how noisy the old firewall was.

Now APM and ACPI are kicking me around. The motherboard I bought has 3 onboard RealTek 8139 10/100 ethernet chips; all have the Wake-On-Lan feature. So (and I must admit this is the first time, so why should it work?), I turn the device off, send it the magic packet and...nothing. Hm.

There is no section of the BIOS (Phoenix) specifically to enable WOL, and since the chips are on the board, there is no WOL cable to connect to the motherboard.

So, I search Google for "linux wake on lan onboard ethernet" and turn up 3 pages I cannot read. Either this is a very easy problem to deal with, or I am the only person in the entire world to have taken it on. Somehow I never believe in the second scenario.

Intel has a page on this, but I was too sleepy to read it tonight. I'll have another go at it tomorrow.

Added 25 Feb:

Fanless, the appliance runs at about 37-40C. The BIOS reports that the CPU runs at about 39-42C. That is acceptable. The average power draw is 8 watts. I've used the acpi modules to script a shutdown. When you hit the power button, it boots. Hit it again, and it shuts down cleanly. The machine boots faster if I run the / filesystem read-only and /var lives in ramfs, but there are some issues with metalog now. It needs to get to the /dev/log socket, which cannot be done in read-only. I'll look into devfs to see if that can solve the problem.

User Journal

Journal Journal: Firewall Appliance pt 4

I put this project down for a long time to work on other stuff (nothing of interest to the slashdot crowd; you'd have to go to the forum site for people who clean out their rain gutters and remove old asbestos from their houses).

When I returned, I used the PXE boot / install method to install Debian Woody 3.0 on the compact flash. This is a vast improvement. I think that the Debian installation and package tools make it much easier to install a minimal system, and the file system errors have disappeared. I think my problem was similar to a RedHat problem I had on another machine, where the fs was not cleanly unmounted by the distro.

I've been building iptables to make it a real gateway, and will post more info in the next week about this.

Of course, I wanted to try OpenBSD, but they do not support PXE booting, so no love there. I read on that the way to install OBSD is to get a laptop hard disk, install on a laptop, then transfer the disk to your appliance. What is this, the Dark Ages? Also, pf is not quite up to snuff yet. It works well for some projects at work that just need to keep out everything, but some of the advanced features of iptables are not there yet. I will revisit OpenBSD in a few months and see how it's working, the priv separation and systrace jails make it ideal for security.

No disrespect to the OBSD developers, I just think that embedded devices are where it's at. When a shmoe like me can build a better DVD player than Toshiba with cheap hardware and free software, we may soon see imaginative people from outside the consumer electronics field with some great ideas that Sony would not build. As embedded devices become more common it would be good to see security up front (instead of as a clumsily executed afterthought like the rest of the computer industry). Feel free to call me an ungrateful bastard; I am just trying to sum up why the software won't work for me at this point.

So, Linux it is for now. I am looking into security for the device with systrace, or some other sort of process jail to keep the device from being compromised.

Finally, I just got my rebate check for the Viking CF card I bought from amazon. Final cost: 512MB for $149. The price is lower now, see here.


Journal Journal: Firewall Appliance pt 3 1

Anybody seen this with Compact Flash and Linux? Using either ext2 or ext3 I get some weird errors on the Compact Flash partition that is mounted read-write.

Every so often after and init 6 or init 0 the system needs to fsck'd, saying that there are errors on the filesystem. I switched the /usr filesystem to read-only and the errors stopped. I am working on getting /var into a ramfs, and /tmp -> /var/tmp, which should obviate the need for read-write partitions from the CF.

But, this filesystem corruption is worrisome, as I will have to remount rw to update the software or kernel.

Then again, I seem to remember problems like this on RedHat on my regular old Intel machine, and some sort of fix I put in place to make sure it cleanly unmounted at init 6 or 0. I should learn to keep better docs.


Journal Journal: Firewall Appliance pt 2

I installed RedHat 7.2 on my little firewall, to no avail. GRUB is having some sort of memory addressing breakdown, because I have 512MB RAM and it says "Error 28" implying that it cannot figure out how to fit a linux kernel into RAM.

Well, tonight I will give it a go with LILO and see if that is better.

The problem could also be that I am loading the kernel and / from compact flash. Using the RedHat installer I got the system down to 301 MB (I have a 512 MB CF), but I can whittle away at it later. I will also build he tiniest kernel I can for the installation.

Next experiment is to fit the whole thing into a DiskOnChip module (I bought 32MB, why not have some fun?).

The Realtek LAN is set up in the firmware to boot across the network, since this little guy has no floppy or CD.

Added: Power consumption. It consumes 10 watts of power. According to my meter, it costs .09 USD / day. When powered off, it uses 1 watt. The motherboard claims to have a time on/off capability I can set in the BIOS, and I also want to try wake-on-lan so that internal users can wake it up by connecting to the network.

Journal Journal: Yow, I have a fan 1

How did that happen?

Maybe I should start indicating my Friends here. I probably will not call anyone a Foe, because I like that "you play your cards close to the vest" description of myself that ./ provides.

Also, I don't want to make disagreements here personal, and finally, by announcing myself as someone's Foe, I will possibly alter the behaviour of a user whose antics give me good laughs.


Journal Journal: Firewall appliance

Received a cool kit today. It's a Lex Light System. Not mini-itx (instead of 170mm X 170mm, it is more rectangular, but same area), but it's tiny with a via chipset, via eden CPU at 533MHz, and a sleek metal case. Other stuff not found on mini-itx boards: 3 X 10/100 ethernet that can be disabled with jumpers, Compact Flash slot, and DiskOnChip socket. Also, 12V DC power in.

I ordered it from Synertron Technologies, the CA office of Bona Computech from Taiwan. Talk to Eric Lin, or send mail to Just don't freak out when they say they only take checks; they're legit, and sent me my system quickly once it was in stock.

Plan: Build a firewall for home network, using 32MB diskonchip for boot, 512MB DIMM, and 512 CF for logs and the rest. Maybe I'll use a RAM disk for logs and just gpgmail 'em to myself.

The hope: quiet, low-power like a cable modem, no moving parts, and nobody in the house has to remember to turn it on to get to the Internet.

I'll post progress here as I get the rest of the parts and start to work on it. DiskOnChip 32MB module should be here tomorrow, and RAM should be here today.

The Eden CPU has a fan on it. VIA says that the 533 can run fanless, so I may remove it since I do not plan to overclock or run multimedia on the thing.

Slashdot Top Deals

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984