Debian Router - Proposal for Debian Router/Firewall project

[Matthew Grant]

Hi THere!

I am a new maintainer currently going through the developer application process. My interest is in migrating the work I did under LRP to Debian, and using zebra instead of gated.

I notice that Debian firewall probably overlaps this project a bit, because of the nature of securing the machine, and the fact that a firewall is basically a specialised router.

I have got together with a few developers, and we have a mailing list at rou...@fuller.melchi.edu. Some software based on potato is already done, (or almost) including a flavour of kernel (does anyone know how to get a proper changelog in, instead of having it overwritten with some garbage about getting in netwinder support?...).

Here is a list of plans:

------
Dear All,

I though I should write to recap on everything and to work out where we are
heading.

Shall I also post this into debian-devel and debian-firewall to attract more
developers?

Current Progress
----------------

Software
--------
A 2.2.17 kernel, zebra 0.89a, and netscript have been packaged. Basic OSPF
zebra test runs have been completed. Some bugs in netscript need fixing
(found during testing), the kernel needs a changelog, and backport version
numbers need to be assigned to zebra, and a bridgex needs repackaging with a
new startup script. I will try to get this all completed this weekend.

Hardware
--------
Sangoma Technologies have kindly given me a couple of S508 boards so that we
can do development work and software testing. Tony, once the dust settles
about my new job, I will see if I can arrange remote access for you to a
couple of 486 machines back to back...

Apt Archive Site
----------------
There has been discussion on what should be done about this. The possibility
of cryptographic VPN/admin software being made part of the project means that
the master archive should reside in a crypto-friendly country. Alexander has
put a site in Germany forward that sounds like it will be good for the master
archive, and Christoph has offered to mirror it in the US. Tony has offered
to adminster it.

Could you please get something together soon as I will have software ready
this week for release for potoato, and will be porting over the next 2 weeks
into woody.

Plans for the next few weeks
----------------------------

WWW site/pages
--------------
We need a WWW page describing what we are about, and where to find things. Is
it possible that we could do something on www.debian.org? We also need to
mention a couple of sponsors on it - Plain Communications Ltd
(http://www.plain.co.nz/) my emplyer who are currently letting me work on it
full time as they need for a software upgrade to the 25 routers/firewalls they
run, and Sangoma Technologies who have donated me some hardware for WAN
testing and development.

Get Wanpipe drivers updated this week and tested
------------------------------------------------
The configuration binaries for Wanpipe need repackaging. I will be commencing
this on Monday if noone else has got around to it.

Future Direction
----------------
There are number of things that need work.

2.4 kernel
----------
For the next few months I suggest we stick to 2.2.x until 2.4.x has
stabilised. We already have a big lead on 2.2.x as a lot of what I currently
have is built on the work I did to get LRP up and going with 2.2.x Towards the
end of January I will be starting to look into 2.4.

In particular, 2.4 offers a lot of promise in the area of network through put
over 2.2. The things we will need to look at are porting netscript to
iptables, supporting the 2.4.x /proc/sys/net/ipv4 switches, IPv6 support (not
to be done on 2.2.x unless someone is crazy about it), Work on intergrating
the new bridge module in 2.4.x, and VPN stuff. We want to be able to leverage
most of the work we do on 2.2.x here, so don't go wasting time on fixing up
the oddities in 2.2.x bridging unless it is a show stopper.

Zebra
-----
This needs work on the security of the administration interface. Telneting
TCP ports with clear text passwords is just asking for trouble. There is an
almost complete shell called vtysh that just needs a few common commands to be
multiplexed among the daemons (write file for instance), and a look at where
the unix sockets for this get created (NOT well known names in /tmp like as it
is now). Vtysh could be sshed into via being a shell on an account on the
router, and it also has the beginnings of PAM support.

OSPF is looking good from what I have seen of it, but it still produces TOO
many log messages (1 for every hello packet.....) The only events that should
be logged by default are those found in the OSPF SNMP trap MIB. My test boxes
produced 14MB of logs in a day!!!!!

The latter is pretty serious. Fortunately you can turn logging completely
off, but there are events that should be monitored. I will e-mail zebra about
both of these, and may start working on the logging problem next week. It
should only take a bit of donkey work to fix it I imagine.

ifMIB support
-------------
I want to add support for the ifStatus link layer Up/down field and the
ifSpeed fields to the standard interfaces structures in 2.2.x and 2.4.x. From
my investigative work this can be done in such a way that only drivers that
choose to support it need altering. Zebra would find this very useful as it
then can auto-assign costs to router interfaces based on their speed, its
OSPF, BGP, and RIP state machines could run more efficiently on WANs. Umich
snmpd would also find this useful.

WanPipe
Add ifMIB support, get FR inverse ARP working properly, help Nenad Corbic
with the port to 2.4.x, sort out the new bridging stuff on it.

Netscript configuration front end
----------------------------------
With netscript's basic configuration being kept in a file full of /bin/sh
variables and small interface activation/deactivation functions (which have
the meat of the stuff in them to start up ciped, pppd, wanconfig for the
particular interface, this is just going begging for a configuration and
management frontend to be written.... Volunteers?

Documentation
-------------
The project will need documentation, manuals, and howtos written and linked
from the WWW pages if we are really going to make it popular. In particular,
a guide on howto create a Debian router would be very useful.

Boot Floppies set
-----------------
Take the standard boot floppies, and adapat them to do the install of a Debian
router. A lot of the software in the standard Debian install is just bloat.
My routers are down to around 65MB including man pages.

task-router package
-------------------
Another way of creating a Debian router. Selecting it should pull in almost
all the entire router software. Good for the above I believe as well.

Install Package List
--------------------
I will do a dpkg --get-selections and put this up on my WWW site this Weekend
as a resource. Watch for the e-mail.

Relationship to Debian Firewall
-------------------------------
Netscript includes ipchains scripts to set up a router as a firewall, with
support for a DMZ interface. The hardening for the use of a box as a
routerexposed on the Internet is very similar to that of a firewall. The
router flavour kernel I am producing has all the firewalling features turned
on, including stuff like transparent proxying. IP filtering and other
security features like the rp_filtering to detect spoofed source addresses are
used in netscript. It is projected VPN software like CIPE, FreeS/WAN will be
incorporated in Debian Router. We have a lot in common with the Firewall
project in this regard, and no doubt they will be interested in a lot of our
technology and packages.

This is all quite a lot to digest, but I hope that it gets every body
thingking and gets the ball rolling.

Your feedback is encouraged, and lets get on with it, as it is all very
exciting!

Cheers,

Matthew Grant

--
===============================================================================
Matthew Grant /\ ^/\^ gra...@anathoth.gen.nz It's/~~~~\Plain where
A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\I come from
===============================================================================

--==_Exmh_-159457048P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.2 06/23/2000 (debian 2.2-1)

iD8DBQE6KHjQuk55Di7iAnARAsOfAJ9aqiffYdssQoQXOt2BcBkNwk+4wwCfTR0O
HqJQftG1pQQ86sGrRUwqOWc=
=1Abs
-----END PGP SIGNATURE-----

--==_Exmh_-159457048P
Content-Type: text/plain; charset=us-ascii

===============================================================================
Matthew Grant /\ ^/\^ gra...@anathoth.gen.nz It's/~~~~\Plain where
A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\I come from
===============================================================================
--==_Exmh_-159457048P--

[Wichert Akkerman]

Previously Matthew Grant wrote:
> I am a new maintainer currently going through the developer
> application process. My interest is in migrating the work I did under
> LRP to Debian, and using zebra instead of gated.

It so happens that smoothwall (http://www.smoothwall.org/) is being
changed to be debian-based, you might want to look at that as well.

Wichert.

--
_________________________________________________________________
/ Nothing is fool-proof to a sufficiently talented fool \
| wic...@cistron.nl http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |

--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

[Yu Guanghui]

hi
please notice Gibraltar Firewall. http://www.gibraltar.at/ which is also
base on Debian.
saka

[Richard Morrell]

0.9.6 is NOT Debian based but I am planning when I get time to finish the
Debian port and the Apache/Boa port.

0.9.6 is the new build and available from Sourceforge early this week and
if not you can grab it from http://www.uklinux.net 's mirrors.

Richard

_______________________________________________________________

Richard Morrell
VA Linux Systems UK
Telephone +44(0)7730 711679 / +44(0)1962 840680
Fax +44(0)870 0636177

VA Linux Systems - http://www.valinux.com
Project Manager - SmoothWall - http://www.smoothwall.org
RedmondLinux Project - http://www.redmondlinux.org
Security Team - http://www.insecure.org

email: rmor...@valinux.com or ric...@linux.com

On Mon, 4 Dec 2000, Wichert Akkerman wrote:

> Previously Matthew Grant wrote:
> > I am a new maintainer currently going through the developer
> > application process. My interest is in migrating the work I did under
> > LRP to Debian, and using zebra instead of gated.
>
> It so happens that smoothwall (http://www.smoothwall.org/) is being
> changed to be debian-based, you might want to look at that as well.
>
> Wichert.
>
> --
> _________________________________________________________________
> / Nothing is fool-proof to a sufficiently talented fool \
> | wic...@cistron.nl http://www.liacs.nl/~wichert/ |
> | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
>