CyberMan Software

Home	Linux	LEAF	Logger	UU Coder
Code64	Nuke	Websites	Contact	Graphical

printer-friendly page Terms of use:

Harvesting e-mail addresses from this website for Unsolicited Commercial E-mail (UCE) is strictly prohibited. UCE (aka SPAM) sent to any e-mail address in the cybermansoftware.com domain will be assumed to have been sent with the intent to harass or annoy. It may be prosecuted as a criminal offense under NY State Penal Code Section 240.30.

LEAF

Linux® Embedded Appliance Firewall

What is LEAF?
What is the difference between LEAF and Black Ice or Zone Alarm?
What about manufactured firewalls like NetGear™ and Cisco®?
How do I build my own LEAF?
How do I configure my LEAF?
How do I block access to adult websites?
Can you turn my fossil of a computer into a LEAF for me?
Will you take my albatross off my hands to turn it into a firewall, so it doesn't end up in a landfill?
How much does a CyberMan Software LEAF cost?

What is LEAF and why do I want it?

No, it's not a green thing that photosynthesizes energy for a plant. LEAF is a tiny form of Linux® that allows a classic Pentium® class computer that was really good in its previous life to be reincarnated as a broadband firewall. LEAF is so small, in fact, that the computer running it doesn't even need a hard drive; it boots from a floppy disk and runs entirely within RAM. If you have a broadband Internet connection, then a firewall is essential.

Here is a sample log file showing 100 attempts to spread LovSan (aka: Blaster) to one of my computers. As you can see it logged these 100 attempts from 05:16:31.39 AM to 05:23:44.72 AM (7 minutes, 13.33 seconds). This machine only has a dial-up connection. If this computer had a 24/7 broadband connection, it would be hit about 19,939 times in any given day.

What's the difference between LEAF and Zone Alarm or Black Ice?

The difference is that LEAF is a firewall and Zone Alarm and Black Ice (both good products) are not. So called "application firewalls" or "firewall applications" are not really firewalls, because by the time they see a malicious data packet the packet is already inside your computer. A firewall is a device that sits between your main computer (the one with all of your personal files and applications on it) and the Internet. With a real firewall your main computer is blissfully unaware that hackers even exist. ^*

LEAF Diagram

What about manufactured firewalls like NetGear™ and Cisco®?

Manufactured firewalls typically run proprietary software, which is not usually as highly configurable as Open Source software, like Linux®. The source code is also not available for peer review, which is an important factor in determining the soundness of an algorithm. Some of them even have default usernames and passwords ^** that can be accessed by the manufacturers. Although the intent of this is benign (to assist users who have forgotten their passwords) it allows hackers to try to figure out the usernames and passwords and exploit them.

Another issue with manufactured firewalls is that some models cannot be configured to allow/disallow connections from specific hosts and networks. For example, if you want a friend of yours to be able to access your shared folders on your Windows system and you know their IP address, then with a LEAF you can allow your friend to access your system, while blocking everybody else. With most manufactured firewalls all you can do is allow everybody or allow nobody to access your system.

LEAF firewalls are expandable. You can add packages to them to perform some specific task above and beyond what was originally built in. LEAF's from CyberMan Software come with (by default):

udhcpd -- a DHCP server which automatically configures network settings of machines on your internal network
lshd -- an SSH server which allows you to login from a computer on your internal network
weblet -- a WWW server which allows you to monitor the status of your firewall from a computer on your internal network
tinyproxy -- a Web Proxy server for parental control; checks URL's of web pages requested by computers on your internal network and blocks out adult content ^***; also supports "anonymizing" HTTP headers for added privacy
iptables -- program that manipulates filtering rules
shorwall -- front-end script that makes interacting with iptables easier

Some of the other packages available include (most require a hard drive and significant configuration):

python -- an object-oriented scripting language which can be used to run SpamBayes, a powerful SPAM recognition program; SpamBayes performs a statistical anaysis on every message to determine whether it is SPAM and inserts a message header for your e-mail client to file appropriately.
squid -- a far more advanced Web Proxy than tinyproxy
dnscache -- a caching DNS server that allows recent hostname lookups to be stored on the firewall
openvpn -- a Virtual Private Network daemon
pptp -- a Point to Point Tunneling Protocol client
tcpdump -- a program to monitor network data; can be used as part of an Intrusion Detection System
LaBrea -- a "tar pit" server that allows hackers to connect, but slows them down a lot; It can be particularly useful for backlogging spammers (ie: their mail servers get stuck)
junkbust -- junkbuster web proxy that blocks pop-ups, banner ads, and cookies
... and many more.

How do I build my own LEAF?

Find a salvagable Pentium® class computer. Most computer recycling centers will sell you one for $10-$20. Forget speed; even a 90 MHz machine will more than suffice.
Find 2 identical ethernet cards. I use RealTek compatible cards. You can usually find these on eBay® for about $5 each.
Open up the computer and remove all expansion boards except the video board, if it's not built into the motherboard. This includes the hard drive. You do not want the hard drive unless you plan to add packages that won't fit on a floppy. This is not covered here. A hard drive will use about 30 watts of power.
Download the floppy image. Note: This is a developmental image. It works, but I'm still tweaking stuff.
If you already have a Linux® machine, then enter these commands:
1. fdformat /dev/fd0u1722
2. gunzip -c cms-leaf.bin.gz | dd of=/dev/fd0u1722
If you use Windows, then:
1. Use WinZip® to uncompress the file (cms-leaf.bin.gz).
2. Use WinImage to copy the image to a floppy.
To login via SSH (and not have to connect your monitor to the LEAF to administer it), you'll need lshkey.lrp. This is used to configure a host key on your LEAF. It is not included in the LEAF disk image, because it is too big and only needs to be used once.

If you used RealTek compatible network cards, then your firewall should be usable as-is, but you'll need some preliminary information before you connect it to your broadband modem.

First, you'll need to identify which NIC is for your internal network and which is to be connected to your broadband modem. Firewalls purchased from CyberMan Software have the cards already labelled.

Connect your monitor to the firewall. Boot the firewall. When the firewall boots, it will prompt you for the IP addresses of your DNS servers. For now, just type, test. At the login prompt, type, root. You'll find yourself at a configuration screen. Quit the configuration program to drop to a Linux® prompt. Type ping 192.168.0.3 at the prompt.

If you have a hub or switch, disconnect it from your broadband modem and plug both of the NIC's on your firewall to it. Take note of which NIC has an LED on the back that is blinking. This one is your internal NIC. This is the one that will connect to your network.

If you don't have a hub or switch, connect one NIC on the firewall to your main computer (which should already be on) with a crossover (yellow) cable. If the LED on that firewall NIC is blinking, then it is the internal NIC. If not, then move the crossover cable to the other NIC on the firewall. It should be blinking (and therefore be your internal NIC), now or you have a problem.

Proceed to the directions below for configuring the firewall.

How do I configure my LEAF?

If you have a Windows machine open the "Network" control panel and click "More Info" or if you have a Linux®/UNIX® machine type cat /etc/resolv.conf and jot down the "DNS Server" (Windows) or "nameserver" (Linux®/UNIX®) IP address(es). Sorry, MacOS users, I don't know how to check this under MacOS.

Plug the firewall's external NIC into your broadband modem and press CTRL+ALT+DEL on the firewall to reboot. You may need to reboot your broadband modem at this time as well. This time when the firewall prompts you for DNS server IP addresses, type each of them (up to 3) pressing ENTER after each one. If you have fewer than three, just press ENTER at the next prompt. Next, it will prompt you for a root password. This is very important, because it ensures that you are the only person who can configure the firewall.

Your password should be at least 6, preferably 8 characters and should not be a regular word. It should contain a mix of upper and lower case letters as well as numbers and/or punctuation symbols. Do not write down your password, ever. Memorize it.

Because your configuration has changed you now have to backup those changes to your floppy disk. Login as root with the password you just gave it. Select "Back-up a package," and back up the root and udhcpd packages.

Your firewall is now configured to work, but it can be annoying to connect/disconnect your monitor just to manage it. There are two ways you can administer it from your main computer. One way is with a null modem serial cable. The other (preferred) way is across the network with an SSH client.

If you have a spare serial port on your main computer, you can connect it to the firewall with a null modem serial cable and use a terminal program such as TeraTerm (Windows) or minicom (Linux®/UNIX®). Basically, you follow the directions that come with the program you choose to connect to the serial port as if it were a modem and press ENTER to get a login prompt on the firewall.

If you don't have a spare serial port or just prefer to use SSH: (Most people prefer SSH, because their main computer is already connected to the firewall by Ethernet.)

LEAF's from CyberMan Software are preconfigured with SSH support. See the important note at the end of this section.

Quit the configuration program and insert the disk with lshkey.lrp. At the prompt, type the following commands:

mount -t msdos /dev/fd0u1440 /mnt
cd /mnt
lrpkg -i lshkey
makekey
cd
umount /mnt

Insert the LEAF boot disk. Type lrcfg to start the configuration program. Select "Back-up a package" and back up the lshd package. You can now log into your firewall with an SSH client, such as PuTTY.

Important: Every time you finish administering the firewall you should quit the configuration program and type exit at the prompt to log out.

How do I block access to adult websites?

LEAF, by default allows users to directly access websites without going through tinyproxy (though tinyproxy is configured to automatically run). In order to require users to go though tinyproxy you must configure the shorewall package to block forwarding of port 80 as follows:

Log into the firewall.
Select, "Packages configuration", then "shorwall", then "Rules".
Scroll down to the bottom of the file looking for a line that reads,"#uncomment the following 3 lines to require the use of tinyproxy".
Delete the pound sign "#" before "REJECT" on each of the three following lines.
Press CTRL+S to save the file, then CTRL+Q to quit the editor.
Quit the current and next menus.
Back up the shorwall package.
Quit the configuration program.
At the prompt, type /etc/init.d/shorewall restart to apply the new rules.
Type exit to log out.
Configure your web browser:
1. Select Edit ==> Preferences.
2. Under Advanced/Proxies, select Manual Proxy Configuration.
3. Enter the address 192.168.0.1 and port number 8888 as the HTTP Proxy.
1. Select Edit ==> Preferences.
2. Enter address 192.168.0.1 and port 8888 as HTTP and HTTPS proxy servers under Network/Proxy servers.
- Set the http_proxy (Lynx) or HTTP_PROXY (Elinks) environment variable to 192.168.0.1:8888 .
1. Select Tools ==> Internet options.
2. Under the Connections tab click LAN Settings.
3. Check "Use a proxy server."
4. Enter the address 192.168.0.1 and port number 8888 .

Can you turn my fossil of a computer into a LEAF for me?

If you live in the Greater Rochester, NY area, then maybe. It depends on the specs and condition of the computer. Can you answer "yes" to all of the following questions?

Is it a Pentium® class? (90 to 120 MHz is ideal. 133+ MHz is overkill, but will certainly work.)
Does it have at least 20 MB of RAM (excluding RAM that is allocated for video)? (32+ MB would be preferable.)
Can it use 1722 kB formatted disks? (Floppy disk copies of Windows 95, 98 use 1722 kB disks, so if you've successfully installed Windows from floppies, not a CD, then the answer is, "yes.")
Does it have 2 PCI slots open or 1 RealTek compatible NIC and 1 PCI slot open?

I charge $20 for labor plus $5 for each NIC I install. You get to keep all of the components I strip out to conserve electricity. NIC's that aren't RealTek compatible will be replaced, because that will be cheaper for you than paying me extra labor to locate, install and test an extra driver (not to mention having to squeeze yet another file onto a tiny, little floppy disk). NY Sales Tax applies.

Contact me to arrange for me to test and pick up your computer. Turnaround is usually about a day or two, depending on my schedule (yes, I work weekends).

Will you take my albatross off my hands so it doesn't end up in a landfill?

If you live in the Greater Rochester, NY area, then maybe. It depends on the specs and condition of the computer. Can you answer "yes" to all of the following questions?

Is it a Pentium® class? (90 to 120 MHz is ideal. 133+ MHz is overkill, but will certainly work.)
Does it have at least 20 MB of RAM (excluding RAM that is allocated for video)? (32+ MB would be preferable.)
Can it use 1722 kB formatted disks? (Floppy disk copies of Windows 95, 98 use 1722 kB disks, so if you've successfully installed Windows from floppies, not a CD, then the answer is, "yes.")
Does it have 2 PCI slots open or 1 RealTek compatible NIC and 1 PCI slot open?

If you can answer, "yes" to all of those and I have room for an extra machine, then I will pay $10 for the computer plus $5 for each RealTek (rtl8139) compatible NIC. I'll also pay an extra $5 for an internal IDE/ATAPI media card reader plus $1 for each full 16 MB of RAM above and beyond the first 16 MB.

Any parts I normally remove to conserve electricity (sound cards, video cards that override onboard video, USB cards, IO cards, hard drives, CD-ROM drives, tape drives, etc.) become my property for no extra fee. After all, you're the one who wants to get rid of the albatross. ;-)

If you can answer, "yes" to the above questions and your computer is a laptop, then I will pay $20 plus $5 for each 3Com® 589 compatible or Xircom® IIps compatible PCMCIA NIC (w/dongle). I almost always have room for laptops.

Contact me to arrange for me to test and pick up your computer.

How much does a CyberMan Software LEAF cost?

Currently $40, though this is subject to change depending on how much it costs me to keep a supply of LEAF's on-hand.

Contact me to arrange for me to drop yours off.

^* Firewalls can block hackers from coming in from the outside, but they cannot (usually) stop data from being transmitted out from your main computer by a virus. Therefore, it is important for Windows users to keep their antivirus software updated.

^** According to McClure, et. al (2001) Hacking Exposed: 3^rd Ed.. McGraw-Hill. pp. 452-455.

^*** Tinyproxy only checks the content of a URL, not the actual contents of web pages. LEAF's sold by CyberMan Software are preconfigured to allow web access without a proxy, so blocking direct access must be manually configured.

All trademarks and registered trademarks are property of their respective owners. Use of trademarks for product reference and comparison is considered, "fair use," under copyright law.

Home	Linux	LEAF	Logger	UU Coder
Code64	Nuke	Websites	Contact	Graphical

Privacy Policy:

Absolutely no personally identifiable information is collected about your visit to this website. If, however, you choose to contact CyberMan Software or participate in a contest, then only information that is necessary to reply to you or deliver your prize is collected. No information will ever be shared with anybody else, except as legally required. Period.