LEAF/Bering

LEAF/Bering makes a firewall/NAT box out of old '486 (or better) PCs.

The hardware requirements for a basic LEAF/Bering firewall/NAT box are:

Case
Power Supply
Motherboard
CPU
16MB of RAM
Floppy Drive
Two Ethernet Cards
Maybe a Keyboard to get past BIOS when booting
You do not need:
Hard Drive
CD-ROM Drive
Mouse
Monitor (well, this would be nice during configuration)
A '486 DX2/66 is fast enough to keep up with 10Base-T ethernet at full speed for a basic firewall/NAT box.  Any faster CPU is just a waste.  Faster CPUs heat up your room, and need a noisy fan.  However, anything that needs encryption, such as a VPN, will require much more CPU power.  

Here's a complete example of how to set up LEAF/Bering as a firewall/NAT box for use with RoadRunner in Central Ohio.  

The LEAF/Bering installation guide is mostly OK, but there are a few places where it leads you down a blind alley and beats you up.   I can help you avoid those blind alleys.  

Blind Alley #1
Section 5.  They need to talk more about the downloaded files that one gets the drivers out of.  

Kernel versions.  The version of the kernel that the drivers are compiled for must match the version of the kernel that LEAF/Bering is using.  The kernel version for which the drivers are compiled for, is part of the big file name.  For example, Bering_1.1_modules_2.4.20.tar.gz is compiled for use with the 2.4.20 version of the Linux kernel.  They don't mention that Bering 1.1 uses the 2.4.20 kernel and can only be used with drivers compiled for 2.4.20 kernels.  Bering 1.0 uses a 2.4.18 kernel and can only drivers compiled for that kernel version can be used.  The Bering_1.0-stable_modules_2.4.20.tar.gz file is a blind alley.  It can not work with Bering 1.0.  If one is using Bering 1.0, one is tempted to use the latest and greatest modules for Bering 1.0, but the Bering_1.0-stable_modules_2.4.20.tar.gz modules will not work with Bering 1.0.  This is very misleading.  
Blind Alley #2
Section 5.  There can be more than one version of an ethernet card driver in the big modules files.  For example, Bering_1.1_modules_2.4.20.tar.gz has two tulip.o drivers:
-rw-r--r-- root/root     49501 2003-02-15 17:07:37 ./2.4.20/kernel/drivers/net/tulip/tulip.o
-r--r--r-- root/root     44664 2003-02-16 03:46:10 ./2.4.20/net/./2.4.20/net/tulip.o
Use the drivers in the ./2.4.20/kernel/drivers/net/ directory.  The official documentation gives no clues as to if they are the same, are different, or why one would choose one over the other.  Empirically the drivers in the ./2.4.20/kernel/drivers/net/ directory seem to be the right ones.  Use them.  I heard that the drivers in the ./2.4.20/net/ directory are from Becker.  There are many more drivers in the ./2.4.20/kernel/drivers/net/ directory than in the ./2.4.20/net/ directory.  Why do some drivers, like the tulip driver, have their own little subdirectory?  This needs to be explained.  

Knowing how to select the right ethernet driver module is a big hairy subject in its own right.  
Blind Alley #3
Section 5.  After you've retrieved the module files you need, you need to put them on a floppy disk.  
  1. Extract the drivers you need from the monster tar ball.  
  2. Consolidate them into another (smallish) tarball.  Later you will be reading this tarball from an msdos format floppy that can not handle long filenames, so give the new tarball a simple short msdos compatible filename, like drivers.tgz.  
  3. Copy the new tarball to an ordinary 1.44MB msdos format floppy disk.  
Blind Alley #4
Insert new section between sections 5 and 6.  
You are done with the computer that made the floppies in sections 4 and 5.  You now have two floppies.  The first floppy (that you made in section 4) has a bootable LEAF/Bering image on it.  The second floppy (that you made in section 5) has just the drivers you need on it.  Now boot the first floppy in your firewall.  You will use LEAF/Bering to configure itself.  

(This business of booting the first floppy is given a minor mention in section 6.1, and you could miss it if you skipped that section because you weren't concerned about removing unneeded packages.)
The rest of the installation guide is OK.  After you are done, the finished product is on the first floppy.  It is smart to write protect it and make a backup.  You don't need the second floppy anymore for the drivers, so you can put the backup on it.  

<need to do: Caveat about testing firewalls behind firewalls, and norfc1918whatever and how network addresses need to be different.  >

Need to do:

Compare Coyote Linux and LEAF/Bering.  

Walk through one complete rather default example.  
internet side is DHCP client.  
local side is 192.168.1.254/24.  
Need to put LEAF/Bering floppy image here for upgrade from Coyote Linux firewall kits.  

README
smc-ultras.log  need LEAF/Bering version here!!!
smc-ultras.img  need LEAF/Bering version here!!!
missingdhcp  need LEAF/Bering version here!!!
smc-ultras-pppoe.log  need LEAF/Bering version here!!!

coyote-1.31.tar.gz  need LEAF/Bering version here!!!
md5sums

smc-dos-utilities

index.html
MD5SUM
Wish list:
Would be nice to combine user-interface of Coyote Linux with guts of LEAF/Bering.  
Expert tricks:
  1. You can download just the driver modules you need from here instead of downloading huge tarballs.  
  2. Do all the work on the desktop Linux computer.  Mount the floppy image with the loop device.  Edit the files as you please.  The *.lrp files, are just .tar.gz tarballs.  Unwrap them, make your changes, then rewrap them back to the mounted loop device.  When you are done making your changes, unmount the loop device and use dd to copy the modified floppy image to the floppy.  An important benefit of doing all the work on the desktop computer, is that the whole configuration can be automated and logged.  
  3. Do all the work on the firewall.  Use something like Tom's Root Boot Tom's Root Boot or the Linux Bootable Business Card Linux Bootable Business Card to make the first two floppies.  You might need much RAM in your firewall to do this.  You can mitigate the need for RAM by downloading just the drivers you need from here.  
  4. Scott Merrill likes to format both floppies as /dev/fd0u1680 so that he can avoid some confusion by treating them the same.  
See Scott Merrill's Introduction to LEAF/Bering.  
"Adventure is a sign of incompetence" Vilhjalmur Stefanson

Last modified 2003-05-18