Building a debian firewall on a CF card

Posted: 2008-04-05

I currently have an OpenBSD firewall running on an ancient 586. I have a mini-itx board, CF/IDE converter and a CF card and have been intending to upgrade.

However - rather than OpenBSD I'm going to try for debian (since I know that much better).

This post will end up being a "how I did it" - but at the minute is just a collection of the notes I'm grabbing for now.

For the initial install - I hung a CD-ROM as the slave IDE unit on the primary IDE channel.

I used the 4.0r3 etch netinst CD downloaded from

Install went smoothly once I replaced the CF-IDE converter with a newer one that supported DMA (the newer CF card was DMA compatible) as I simply could not get the installer to disable DMA. However - see debian bug 475223 for information on how you could actually do that.

###Disk Mounting

From I got a starter fstab and the hint about mtab. Here's the versions I ended up with:


proc            /proc           proc    defaults        0       0
/dev/hda1   /               ext2    noatime,errors=remount-ro 0       1
tmpfs          /etc/network/run tmpfs defaults,noatime                   0 0
tmpfs          /tmp           tmpfs   defaults,noatime                   0 0
tmpfs          /var/lock      tmpfs   defaults,noatime                   0 0
tmpfs          /var/log       tmpfs   defaults,noatime                   0 0
tmpfs          /var/run       tmpfs   defaults,noatime                   0 0
tmpfs          /var/tmp       tmpfs   defaults,noatime                   0 0

Warning: By mounting /var/log on tmpfs, logs will only be available for the current session.


rm -f /etc/mtab
ln -s /proc/mounts /etc/mtab



I have some issues with things when IPv6 is running. So, to disable IPV6 I added:

blacklist ipv6

to /etc/modprobe.d/blacklist.

So - now the server boots, mounts the highly active parts of the system on tmpfs (we don't want to burn out the CF card).


I need both ports to come up - one to the ISP, one internal.

TODO: what is the allow-hotplug bit?


# The loopback network interface
auto lo eth0 eth1
iface lo inet loopback

# The external interface
allow-hotplug eth0
iface eth0 inet static

# The internal interface
iface eth1 inet static



Install ssh with aptitude.

I configured up ssh with the following sshd_config file (/etc/ssh):

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 768

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication no

# Remember to make sure that you have a working set of .ssh/authorized_keys before changing this from yes to no!
PasswordAuthentication no

X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes


Install bind9 with aptitude.

Two new files in /etc/bind:


$TTL 3600       ; 1 hour            IN SOA (
                                2008041201    ; serial
                                3600            ; refresh 1 hr
                                1800            ; retry 30 mins
                                604800          ; expire 1 wk
                                3600            ; minimum 1 hr

menavaur              A     ; Old firewall
nornour               A     ; New firewall
dolphin-tp            A     ; Astrid mac mini LAN
dolphin               A     ; Astrid mac mini WLAN
slippen-tp            A     ; Chris laptop LAN
slippen               A     ; Chris laptop WLAN
czar                  A     ; Linux file server
goldeneagle           A     ; Astrid XP
galatea-tp            A     ; Chris laptop (work) LAN
galatea               A    ; Chris laptop (work) WLAN
bonnet                A    ; Chris iMac
shah                  A    ; Unused
islander              A    ; Unused
serica                A    ; Unused
klondyke              A    ; Unused
campernel             A    ; Unused
bedroom-tp            A    ; Airport
bedroom               A    ; Airport
lounge-tp             A    ; Airport
lounge                A    ; Airport
store                 A    ; ReadyNAS NV+
wii                   A    ; Wii
dhcp50                A    ; DHCP
dhcp51                A    ; DHCP
dhcp52                A    ; DHCP
dhcp53                A    ; DHCP
dhcp54                A    ; DHCP
dhcp55                A    ; DHCP
dhcp56                A    ; DHCP
dhcp57                A    ; DHCP
dhcp58                A    ; DHCP
dhcp59                A    ; DHCP
dhcp60                A    ; DHCP
wifi1                 A   ; Linksys AP
wifi2                 A   ; Linksys AP
ns                    CNAME  nornour             
irc                   CNAME  czar                
web                   CNAME  czar        

$TTL 3600       ; 1 hour            IN SOA (
                                2008041201    ; serial
                                3600            ; refresh 1 hr
                                1800            ; retry 30 mins
                                604800          ; expire 1 wk
                                3600            ; minimum 1 hr

1    PTR          ; Old firewall
2    PTR           ; New firewall
3    PTR        ; Astrid mac mini LAN
4    PTR           ; Astrid mac mini WLAN
5    PTR        ; Chris laptop LAN
6    PTR           ; Chris laptop WLAN
7    PTR              ; Linux file server
8    PTR       ; Astrid XP
9    PTR        ; Chris laptop (work) LAN
10   PTR           ; Chris laptop (work) WLAN
11   PTR            ; Chris iMac
12   PTR              ; Unused
13   PTR          ; Unused
14   PTR            ; Unused
15   PTR          ; Unused
16   PTR         ; Unused
30   PTR        ; Airport
31   PTR           ; Airport
32   PTR         ; Airport
33   PTR            ; Airport
34   PTR             ; ReadyNAS NV+
35   PTR               ; Wii
50   PTR            ; DHCP
51   PTR            ; DHCP
52   PTR            ; DHCP
53   PTR            ; DHCP
54   PTR            ; DHCP
55   PTR            ; DHCP
56   PTR            ; DHCP
57   PTR            ; DHCP
58   PTR            ; DHCP
59   PTR            ; DHCP
60   PTR            ; DHCP
200  PTR             ; Linksys AP
201  PTR             ; Linksys AP

Then we need to activate these two:


zone "" {
    type master;
    file "/etc/bind/";

zone "" {
    type master;
    file "/etc/bind/";

Restarted bind - now this is authoritative for my local net 192.168.1.x and forwards to the ISP for everything else.


Install dhcpd (virtual package) with aptitude.

Firstly - we want only to serve DHCP internally - that is on interface eth1.



Now configure it. Most internal machines get a fixed IP via MAC address, but there is also a range of .50 to .60 for visitors.


group {
    option subnet-mask;
    option routers;
    option domain-name-servers;
    option domain-name      "";

    host menavaur {
            hardware ethernet 00:60:08:47:03:69;

    host dolphin-tp {
            hardware ethernet 00:16:CB:94:15:D3;

    host dolphin {
            hardware ethernet 00:16:CB:05:8C:03;

    host slippen-tp {
            hardware ethernet 00:16:CB:C9:2E:A3;

    host slippen {
            hardware ethernet 00:16:CB:B9:F5:B6;

    host czar {
            hardware ethernet 00:0A:5E:1F:3D:6F;

    host goldeneagle {
            hardware ethernet 00:0C:6E:4D:48:DA;

    host galatea-tp {
            hardware ethernet 00:1B:63:A8:06:8B;

    host galatea {
            hardware ethernet 00:1C:B3:C5:21:5B;

    host bedroom-tp {
            hardware ethernet 00:14:51:74:F6:AA;

    host bedroom {
            hardware ethernet 00:14:51:74:F6:AB;

    host lounge-tp {
            hardware ethernet 00:14:51:73:86:96;

    host lounge {
            hardware ethernet 00:14:51:73:86:97;

    host wii {
            hardware ethernet 00:19:1D:FE:A0:56;

    host wifi1 {
            hardware ethernet 00:1A:70:AB:A4:AC;

    host wifi2 {
            hardware ethernet 00:1A:70:AB:A6:91;

shared-network LOCAL-NET {
    option  domain-name " ";
    option  domain-name-servers;

    subnet netmask {
            option routers;



Denyhosts will add hosts to /etc/hosts.deny if they try things like brute force attacks on ssh.

Install denyhosts with aptitude.

Configure the /etc/denyhosts.conf file - I simply changed the mail addresses and mail server - everything else was left defaulted.


From and - the following iptables script was generated.




# Set policy
iptables -P INPUT DROP
iptables -P FORWARD DROP

# delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# NAT ssh (2222) and http (80) to an internal machine
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 2222 -j DNAT --to

# Open some ports externally (including the ports for NAT)
iptables -A FORWARD -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW --dport 2222 -i eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward