Build Your Own PC Firewall

‘Stop those Hackers’ with

Index

If you have an old 486DX PC or better stashed away think it no longer has any useful life. Well, now is your chance to turn it into a dedicated firewall with intrusion detection and logging!

MicroDIY
Stage Introduction Step 1

Description Gives details of why we need a Firewall to protect our home or office computers Building the PC. What are the hardware requirements to get a successful Firewall Capable of handling up to ten computers. Building your PC Firewall. Details of what hardware you need. The BIOS. Here you find the settings within your BIOS to ge t your PC up and running. Installing The Software & Configuring Smoothwall Express 2.0

Page 3

4

Step 2

5

Step 3

6

Step 4

7

Key Features of Smoothwall Express 2.0
• • • • • • • • • • • NAT – network address translation – hide your computer IP address Stateful packet inspection – any network packet not requested from the GREEN side is rejected IP address tracking – trace those hackers using the in-build ‘Who is’ feature IP address blocking – create your own IP address block list Intrusion detection – find out who is ‘probing’ your network Comprehensive logging features – all events are logged for evidence Monitor network load graphically No monitor; keyboard or mouse required – once the firewall is properly built & configured Does not slow down the network or the broadband connection Remote shut down feature Automatically restarts when required – when a user logs onto the network

Note!! You may have been lead to believe that a router, with built in ADSL modem and network switch, with NAT (network address translation) and stateful packet inspection, is all that is required to be safe from hackers and that you don’t need a software solution (such as Zone Alarm) or hardware firewall solution. Well, frankly your wrong! Extensive tests has shown that with today’s internet activity, you would be mad not to i vest in a firewall, n especially with the new threat from viruses such as the Sasser. Be safe! Get yourself a firewall.

www.microdiy.co.uk

Page 2

5/31/2004

MicroDIY
Introduction
If you are concerned with network security and would like to stop outside hackers getting to your data, then this project gives you all the necessary tools to build your very own dedicated network firewall from an old PC. It uses open source software based upon the renowned stability of the Linux OS. It has all the features you would expect of any commercial hardware package and when installed into a PC performs extremely well giving many network tools to help you track, monitor and defend against those hackers. The only problem is that it expects the user to have some background knowledge of networking to get their PC Firewall up and running, as Linux is not very user friendly. However, I have tried to cover every possible hardware configuration by installing the software many times to see which set up produces the best and easiest to achieve configuration. See Fig.1 – Home network connected to the internet via an ADSL Router.

What you need!
The PC – any old PC that you may no longer use – remember though, you still need reliability. The Firewall will probably be left on all the time only shutting down when instructed to do so by the last user from the Smoothwall Express 2.0’s browser interface. You only require the tower for the actual Firewall. During the building and setting up of the firewall you will require a monitor; mouse & keyboard. The tower unit when properly configured will operate without the monitor; mouse & keyboard! So, why will an old 486 do the job and what would be the advantage if I used a Pentium class of computer?

This Firewall is based around an Athlon 750Mhz Motherboard - Matsonic MS8137C with Via Chip set (KT133)

Well, it all comes down to the number of computers which will access the internet via the Firewall. A Pentium processor running at 500Mhz or more will cope very well with up to 10+ computers accessing a broadband internet connection without any noticeable loss of performance during file downloads etc., while a 486DX computer should do fine with a single computer accessing the internet. The more features enabled on the Firewall – such as intrusion detection will use up those processor cycles very quickly. You must download the installation guides and spend some time reading them before you begin to build your firewall. The documentation is comprehensive giving full details of the software installation process. However, you will find the different options difficult to follow unless you decide upon which type of set up you want first.

www.microdiy.co.uk

Page 3

5/31/2004

MicroDIY
This project assumes that you already have a home or small office network connected through a network hub or switch. The firewall should be placed between the broadband router and the network hub/switch see fig. 1.

RJ45 network socket in the attic. This is where Smoothwall Express 2.0 joins

both sides of the network together.

Fig. 1 GREEN Interface – Home network side of Firewall

RED Interface– Internet Side of firewall

You may find it helpful to read the other network guide booklets alongside this one to be able to get a better overview of the networking options available.

Step 1

– Getting the Software

Download the Smoothwall Express 2.0 ISO CD-Rom image file from: http://www.Smoothwall Express 2.0.org/get/ You need to be able to create a bootable CD-Rom from the ISO image file. DO NOT simply copy the files across onto a blank CD-Rom. The ISO image files at the beginning of the CD are specially created to be recognized as a bootable CD-Rom, so burn your CD straight from the ISO image file. Test the CD-Rom to make sure you can boot a computer from it. You can use your own computer to do this by going into the BIOS and change the boot sequence to: 1st boot device - CD-Rom When you have achieved the above successfully you are ready to begin building your firewall. Remember to test your CD first as there is no point going any further if you cannot boot and then load the files. There is an option to produce a bootable Floppy Disc, but I found this unnecessary.

www.microdiy.co.uk

Page 4

5/31/2004

MicroDIY
Step 2
– Building The PC Firewall
The next step involves the building of the computer. I would recommend that you go for something approximately two years old, which will make the installation of the Linux Smoothwall Express 2.0 software easier. Using brand new modern computer equipment (i.e. the latest motherboards) is not recommended, even by the developers of the software, this is because the latest motherboards use chip-sets which may not be recognized by the Linux OS. Here is a list of the hardware you will need and system requirements: • • • • • • • • • Motherboard with 500 - 750MHz processor with o Wake-on LAN o Power Saving feature S3 - Save to memory during sleep mode 1.2 Gigabyte hard drive or more – no more than 3 Gigabyte 64 Megabyte of Ram – max 128 Megabyte, any more is a waste On Board graphics or Basic PCI Video cards (S3 with 4 Megabyte of memory) avoid
AGP types

USB port – if using a USB broadband connection – cannot comment on these! 2 – Network adaptors – one with Wake-on-LAN Netgear FA312 & FA311 work well. (you only need 1 if using a USB broadband router) ATX Case with 300W ATX power supply – to support sleep mode CD-Rom drive – required to boot from software must support ACPI mode 3½” Floppy Drive (Not required if booting from CD-Rom)

The network cards have proved to be very difficult for some computer builders to install, especially when using the same make/type/chipset of network adaptor. This is because, Smoothwall Express 2.0 during the installation of the software looks first for the GREEN interface network adaptor and then the RED interface network adaptor making it difficult to tell which is which when the cards are the same. Removing the cards and swapping them over after installing the software DOES NOT solve the problem, the cards MAC address will be different. However, it really is very simple when you know the install logic behind Linux. Linux scans each PCI slot in turn, starting with PCI slot 1 first. Put the graphics card in PCI slot 1 and then put the adaptor card you want as the GREEN interface into PCI slot 2 with Wake-on-LAN (WOL), that way you know straight away you have set the correct network card with WOL as the green interface (your home or office network).

PCI slot 1
GREEN interface Netgear’s FA312 network adaptor - WOL

You can put the Red network adaptor in any of the remaining PCI slots or use the USB port – note!! you must have USB and serial ports enabled on the motherboard BIOS even if you do not need them as this will halt the Linux install process (Linux tries to find devices connected to these ports first, if you disable them, Linux will halt at this point during the install).

www.microdiy.co.uk

Page 5

5/31/2004

MicroDIY
I used a network adaptor with WOL for the green interface because I wanted the firewall to automatically restart when booting a computer on the network; also I wanted the option to remotely shut down the firewall from any of the computers on the network. Who ever is last on the network to take the responsibility to shut down Smoothwall Express 2.0. I hoped to have auto-sleep when no activity was detected but this option is NOT supported with Linux. However, once the Smoothwall Express 2.0 has been shut down it will automatically be restarted by the WOL feature. This is why you need a motherboard with WOL, as it saves having to remember to switch on Smoothwall Express 2.0 every time you switch on your own computer. At first, problems were encounter during the re-booting process from the sleep state, as some hardware was not detected properly – mainly the graphics cards I tested. To get round this problem, the ‘Save to memory’ within the BIOS settings/options was selected and enabled, as well as saving system Bios & Video bios to main memory. This makes sure that ‘all’ hardware is properly stored and preserved in memory ready for the re-booting of Smoothwall Express 2.0. Also, turn off ‘Halt on all errors’ within the BIOS, that way you will be able to disconnect the keyboard; monitor and mouse once the building of the firewall is completed.

RED interface – Netgear FA311 network adaptor

Step 3
1. 2. 3. 4. 5.

– The BIOS

The BIOS set up is relatively straight forward provided you follow these settings, you may have to search around your BIOS to find them: Rest/clear the BIOS and renew the battery At start up select - load system defaults Turn off - ‘Halt on all errors’ Set Hard drive using auto-detect or leave all on AUTO Set the following:
o o o o o o o o o o o o o o o o o o o o o o Parallel ports - Disable Second Serial port – Disable On-board sound & Modem – Disable WOL (wake on LAN) - Enable USB port s 3 onwards – Disable (you MUST have 1 & 2 enabled or Smoothwall Express 2.0 will not load correctly) Chip Set performance – set to NORMAL PCI Bus ‘0’ wait states – Disable PCI Prefetch – Enable PCI Buffer - Enable 3½ Floppy – None (Enable this option if you wish to boot from floppy) Memory settings – Set to Normal timings Ultra DMA – Enabled (check your CD-Rom supports this) VGA device – PCI PNP OS – Yes Reset configuration data – Yes (you must reset the CMOS first) Resources Controlled By – Auto (ESCD) PCI Master – ON Power On by PCI Card – Enabled ACPI Function – Enabled ACPI Suspend Type – S3 (STR – Suspend to Ram) PCI Master 0 WS – Disabled PCI Post Write - Enabled

www.microdiy.co.uk

Page 6

5/31/2004

MicroDIY
Step 4
– Installing The Software & Configuring Smoothwall Express 2.0
The first part of the operation is straight forward. Simply pop the CD into the CD-Rom drive and make sure the BIOS is set to – 1st boot Device CD-Rom and follow the on-screen instructions. The Linux OS will try to detect all of your hardware. It is during this stage of the setup you MUST allocate an IP address for the GREEN interface network adaptor see Fig 2. When the GREEN interface is configured, you will be prompted that the rest of the files are to be installed. When this is complete you will be prompted to remove the CD. Follow the on screen instructions to configure Smoothwall Express 2.0, they are well documented but don’t worry if you make a mistake you can always logon again and change the setting. These are the components which require setting up: • • • • • • Keyboard Mapping – any standard keyboard will do Host Name (leave it set to ‘Smoothwall’) Web Proxy – skip not required ISDN – skip ADSL – skip (if you have a USB Speedtouch 330 Modem you will need the Fixes3 up date see web for more details!) Networking - here you get to review your IP addresses (to use the set up shown at Fig.1 – select GREEN + RED)

When you are done here, there are three passwords that you must set but make sure you choose suitable passwords and make a note of them – you will be prompted for three: • • • Admin Setup Root ……………………………….. ……………………………….. ………………………………..

The GREEN interface you configured first. You have the choice to use either your own IP addresses or allow Smoothwall Express to act as a DHCP (Dynamic Host Control Protocol) server. This means that the firewall will allocate an IP address to the computers on your network when they boot up (note! You usually only ever have one DHCP server on a network). This is where you may find problems, I did – getting the whole system to work together i.e. Smoothwall and your ADSL router. All routers supplied with an integrated ADSL modem by default are set to perform as a DHCP server and DNS (Domain Name System) server. This is because of the routing of internet traffic through the router (Gateway), each computers request on the network needs to be translated correctly and directed to the internet via each DNS server ( you can have more than one of these). When the ADSL modem logs onto your internet service providers server it requests the routing table ready to perform the action of translating your browser requests into actual web address.

When Smoothwall Express 2.0 is operating you will be able to see which services are running: DHCP Server - STOPPED DNS Server - RUNNING

www.microdiy.co.uk

Page 7

5/31/2004

MicroDIY
So what is the solution? Well, leave your router (Gateway) settings as they are (DHCP & DNS servers – ON) and allow the router to continue to allocate IP addresses. I found that the RED interface was setup much more easily this way (during Smoothwall’s set up process you don’t get to chose the RED interface IP address). Turn OFF the DCHP option within Smoothwall Express 2.0 but leave the DNS option set to ON. Smoothwall Express 2.0 will work like this: 1. Your network computer browsers make an internet request – Smoothwall DNS server translates the request and passes it onto the RED interface. The RED interface IP address is set by your ADSL router. 2. The router accepts the requests and translates the request in accordance with your Internet Service Providers DNS servers – this way all internet traffic is handled correctly. Give the GREEN interface a fixed IP address, and don’t worry about your router, just make sure that the IP address you use is high enough not to interfere with any other devices that may connect to the router via wireless etc. Make sure you make a note of the GREEN interface IP address that you have chosen; you will need this when you configure each of the computers on the Home/Office network. The GREEN IP address will be used to set the Gateway IP address within the ‘network options’ settings for each computer on the network. Now you can give each computer a fixed IP address which must be just above the GREEN interface IP address. Use the following diagram to help you set each of the computers IP address including Smoothwall’s.

Computer 1 – IP addresses IP Address: 192.168.0.10 Sudnet Mask: 255.255.255.0 Default Gateway: Preferred DNS server: 192.168.0.5 192.168.0.5

Computer 2 – IP addresses IP Address: 192.168.0.11 Sudnet Mask: 255.255.255.0 Default Gateway: Preferred DNS server: 192.168.0.5 192.168.0.5

Smoothwall Express 2.0 – Firewall GREEN interface IP Address: 192.168.0.5 Sudnet Mask: 255.255.255.0

RED interface set by router

Router default settings: IP address: 192.168.0.1

Fig. 2 – Network Configuration

www.microdiy.co.uk

Page 8

5/31/2004

MicroDIY
To set up each computers network TCP/IP settings, go to; My Network Places and select; View Network Connections to bring up this dialogue box: Highlight Internet Protocol (TCP/IP) and chose Properties This will bring up the following options box:

Well, that is it, you’re all done. All you need to do now is download the update for smooth wall. They are hidden in the ‘Archives’ section – they are as follows: 1. Fixes1 2. Fixes2 3. Fixes3

Download each of the files onto your computers hard drive. You may wish to do this before you connect Smoothwall Express 2.0 as these update are required for some hardware problems! To Up-Load the files to Smoothwall – Logon to Smoothwall (see below) and select ‘Maintenance’

www.microdiy.co.uk

Page 9

5/31/2004

MicroDIY
From here you need to ‘Browse’ to the location on your hard drive to find each of the updates using the ‘Browse button.

Once you have found each of the files – upload each in turn. They must be installed in turn starting with ‘Fixes1’ first – then reboot for the update to install before you repeat the above for the other ‘Fixes’. Your firewall is now ready to run. If all is well you should be able to get straight onto the internet without any trouble. To Log onto Smoothwall use the following in your Browser setting:

If you are unable to connect to the internet you should be able to logon to Smoothwall to check your setting! That’s it you’re all done! Good Luck!

www.microdiy.co.uk

Page 10

5/31/2004

Sign up to vote on this title
UsefulNot useful