Using Coyote Linux as a Road Runner Firewall

Ken Horton, Horton Engineering

One of my customers recently upgraded their ISP service from a dialup to Central Florida Roadrunner. Warren Dodd, www.allbrevard.com, recommended that the customer use a utility called "Shields Up" by Gibson Research Corporation (www.grc.com) to test the security of the system. The result was scary. There was no security! As a result, the customer asked me for assistance in installing a firewall.

This paper describes the evaluation and implementation of a router/firewall using Coyote Linux for a Time-Warner Road Runner cable modem.

Existing computer system

The configuration before Roadrunner had two Windows computers networked with 100BaseT connection in a Small Office Home Office environment. SOHO network software was delivered with a Compaq Windows 98 system. The computers shared the Compaq's 56K dial-up modem as well as disks and printers. With only two nodes the computers were connected using a crossover cable.

Adding the Roadrunner cable modem required a change in the network hardware configuration. Central Florida Roadrunner provided a 10BaseT modem. To connect all three nodes, a hub was needed. Hubs are not intelligent and must be set to the lowest common speed. Thus the internal transfer rate degraded by an order of magnitude because of the cable modem. The hub was replaced with a 10/100BT switch, but the system was still lacking security.

Researching Router/Firewall alternatives

As a member of Melbourne Linux User Group, I researched Anthony Awtrey's publication which describes using Debian Linux for RoadRunner connectivity. His 32-page paper describes how to build a Debian Linux system that is a firewall, router, mail server and much more. Having previous experience with RedHat and Caldera Linux I wasn't eager to learning the nuances of Debian. (Not yet anyway). I researched the Linux Router Project and followed some great links that were posted to the Melbourne Linux Users Group Message Board as well as links on Slashdot. They lead me to Coyote Linux by Vortech.net. In May 2000, Coyote Linux was spun off from Vortech.net to Prarie Wolf Software.

Coyote Linux boots a lean, mean version of Linux (kernel 2.2.14) from a 3.5" diskette. It requires a minimum of a 486 computer, 12 MB of memory, two Ethernet cards, and a floppy disk drive.

Configuring Coyote

If you are a Linux user, you can download a Linux GPL version of the software and build your boot floppy on a Linux system.
If you are a Windows user, Vortech.net developed a Windows GUI version of the configurator. According to the Coyote Linux web site Prairie Wolf Software will be marketing this software.

After printing Vortech web pages and reviewing the last 50 messages of their very active Phorum message board, I was ready to configure my first Coyote diskette. Because of my philosophy, "Use root only when necessary", my first attempt failed. The commands fdformat or mkdosfs or perhaps the permissions on /dev/fd were to blame. This is documented. So I logged in as root and proceeded to build the coyote boot diskette without further problems.

Network wiring for your Coyote firewall

Your cable modem connects directly to an Ethernet card (10BaseT) in your Coyote node. Use the cable supplied with the Roadrunner modem. Connect the other Ethernet card with a CAT-5 cable to a hub or switch. Connect the rest of your home-office computers to the hub or switch.

Selecting Coyote hardware

A search of the customer's bone yard found a Packard Bell 486-75 with 12MB RAM and a 500MB hard disk, CDROM, 14.4 modem with sound, one available ISA slot and Windows 3.11. Online Coyote documentation states that you can remove the hard disk and fan. I removed the sound card, to free up an ISA slot, and installed two ISA 10BASE-T KTI ET16/P-D2 (NE2000 clones). Plug and play was disabled with a hardware jumper on the cards. The interrupt and I/O address were set manually. Write down the IO address and IRQ for each card. You may want to label each card next to the RJ45 connector. Label them Internet and Local. These terms are used by Coyote.

Local build capability

Although I built a boot disk in the office I decided that it would be nice to have the capability to rebuild the floppy on site. So Red hat 6.0 was installed on the 500MB hard disk to provide a method of rebuilding the floppy without requiring a trip back to a Linux computer in the office. Note that the hard disk is not accessible when this computer is booted from the Coyote floppy.

Using Coyote Linux build utility.

The software can be downloaded from www.coyotelinux.com as a zipped tar file (gz). On your development system, you will need two packages in order to run the configuration. (mtools and mkdosfs). The Coyote boot floppy is actually a DOS formatted diskette.

To run the configuration, you should be logged in as root. This is needed to write the boot sector to /dev/fd0.
You are asked a few question and then the diskette is created. The questions are simple. They are driven by a Perl script. If you make a typo, you may have to start over, as ^H is echoed to the screen. To run the script, simply cd to the directory that you installed Coyote and enter the command ./mkfloppy.sh.

Configuration Questions and Answers

Here are the questions that are asked during configuration:

1) What type of Internet configration is being used. Coyote Version V.1.13 has one option 1) Standard Ethernet.
Future version may allow additional interfaces. Select 1.

2) Default IP, netmask, broadcast, network addresses are displayed. Question: Do you want to change these settings? Answer N.

3) Does your Internet connection get its IP address via DHCP? Answer Y.

4) Install the Roadrunner DEC protocol login software? Answer Y.

5) Do you want to install Coyote DHCP Server? Answer Y.

6) If you did not take the default in question 2, you will be asked to enter a starting and ending DHCP RANGE now. The default range is 192.168.0.128 to 192.168.0.254. You can enter this range unless the coyote IP is within this range.

7) Enter your DHCP host name. For Central Florida Roadrunner enter cfl.rr.com

8) Enter information for the Internet network card. In my case the type is ne. (ne2000 and compatible)
The IO Address was 320. It expects hex numbers here (don't use 0x.)
The interrupt was 10 (it expects decimal numbers here. If its greater than 9, enter it).

9) Enter information for your local network card. This will be three parameters: type, ioport and irq. If you use the same type of card for both, less disk and memory space will be used because only one driver will be loaded. The program displays drivers dependencies. In this case 8390.o and ne.o were loaded.

10) Do you want to install the oidentd package. Select N.

11) Do you want to add the VPNd.? Select N.

A disk image is then created and you will be asked to insert a blank floppy and press enter to continue. A boot floppy is created. You are now ready to boot from the floppy.

Booting Coyote from your 3.5" diskette

The configuration does not set your Roadrunner username and password. Set this the first time you boot coyote.

Log is a root. There is no password. The lrcfg (linux router configurator) is executed from the root login script.
Select the roadrunner configuration option. Enter your Roadrunner username and password.

The menu gives you the ability to change other network parameters including ipchains configuration.

Because these changes only affect the ramdisk, use the backup command to write the new configuration to the boot floppy.

You should be up and running!

Test the security with the "SHIELDS UP". In this case, computers behind the firewall showed up as "stealth"!

Select option 6 show current status. Eth0 and eth1 should be up. If not reboot. If you are not up, check the list below for possible problems.

Possible problems

If your build script fails, make sure that the mtools and mkdosfs packages have been installed.

If an Ethernet line does not come up, verify that the IO address, and irq correct. Are there any other peripherals using those addresses?

Be sure to look at all of the screens of computers in your network. You may get a Windows message saying that a DHCP address has been requested. Select OK. If you don't close the dialog box, that network node may be hung awaiting mouse input. This occurred and caused a failure in sharing resources between internal computers.

Look at the lights on your Ethernet cards? Look at the lights on you hub or switch. Do they show communications activity? Does the cable modem show link and data indicators?

It has been documented by Vortech that some domain name servers cache information about your connection. Your connection may not work for the first 24 hours. On my first connection to the RoadRunner modem the router failed. I could ping the Internet from the coyote keyboard, but could not talk the local network. The Windows machines could not see the Internet. The next night, after reseaching the problem I was ready to change a lot of things Windows network parameters. I didn't have too! When Coyote booted, the Internet came up immediately.

In this case, both computers were loaded with configuration software provided by Roadrunner and both were used on the Roadrunner network prior to the installation of the Coyote router.

Summary

Coyote Linux is an easy to install and easy to configure.

Vortech has a very active Phorum message board. If you have a problem check the board for similar symptoms.

This product will make your computer less suceptable to web attacks. If you do not have a Linux system to configure Coyote, consider purchasing the Windows version from Vortech or Prairie Wolf Software.

I highly recommend Coyote Linux to anyone who is using Road Runner.

A slide presentation of this paper was presented at the Melbourne Linux Users Group Meeting. That presentation can be viewed at http://www.graftacs.com/rrslides.

Biography

Ken Horton (khorton@mlinux.org) founded Horton Engineering in 1988. Horton Engineering provides turnkey computer solutions to business, environmental and industrial customers. His experience includes software development using Multics, VAX/VMS, Unix, Linux and Microsoft Windows. He has a BSEE from the University of Louisiana at Lafayette. He is a member of the Melbourne Linux Users Group, Inc and the Space Coast Internet Alliance.

www.graftacs.com