Setting up Edge
The Edge web site contains detailed instructions for installing their software. I'll summarize here. You download Edge as a series of ZIP files (or one ZIP if you use the hard-drive version). The archives contain disk images for initial boot, network drivers, and other tools. One archive (called cable.zip) contains the actual disk contents for the final boot disk. You create disks for the supplied disk image files. You unzip cable.zip and change the configuration files in the config directory to match what you want to do on your network.
For example, Edge comes pre-setup to route all main Internet services to a single server with an IP of 192.168.1.1. You can change the configuration so that some services go to one server (HTTP for example) and other services (such as FTP) go to a completely different server. Once your configuration has been set up to your liking, you create a new 1.72MB floppy for the new boot disk. You must use Windows 95 or 98 for this task as Windows NT does not recognize this floppy size. As I only have Windows NT, I used a Windows 98 boot disk and then copied the files over in DOS, after which I had to rename a couple files within the firewall as the file names got mangled in the DOS mode.
Once your configuration is complete, boot the firewall with the first boot disk and configure your Ethernet drivers. Edge provides a few scripts to automate this process and save the setup back to the new firewall boot disk. It's a good idea to make a backup copy of this disk if you use the floppy version in case you encounter bad media. Boot up your firewall and test it out. That's all there is to it.
If you have a monitor attached to your system, you can use CTRL-ALT-F5 through F10 to view the logs of your system. If, like me, you do not have a monitor attached, the log files are kept in /var/log, as shown in Figure 2. The logs are archived nightly to keep the memory use to a minimum. You should archive these log files to a floppy disk for later analysis.
Figure 2: Log files are kept in /var/log. (click on image for full-size view)
Shocked and amazed
Once the firewall was set up and running, I left it alone for a week and then checked the logs. The sheer number of portscans and other attack attempts on my system left my jaw on the floor. Most of the attacks came from other cable modem users on the same system and seemed targeted at Windows users (scanning for open file shares) or trying to exploit specific ports (HTTP and DNS ports were the most common). I also received attacks from as far away as Germany and Australia.
What can you do? Well, the attacking computer's IP address is contained in the logs as well as what port they were trying to access and at what time. (See Figure 3.) Gather this information up and send it to their ISP, demanding that action be taken. Alternatively you can ignore it, refreshed by the fact they didn't get anything. However, that is a dangerous stance as someone might just cause damage to your system in the future.
Figure 3: Short log of attacks (click on image for full-size view).
Staying awake at the helm
As mentioned previously, security is not passive, it's active. You need to stay on top of new security exploits all the time. Join the firewall listserver, and watch for new versions of the software, which often contain bug fixes and security fixes. Watch your logs and see if anyone has managed to gain access to your system. Report attackers to their ISP and the firewall developers so the hole can be closed as soon as possible.
Again, a firewall is a first-line-of-defense system. Don't lull yourself to complacency just because your firewall is "working" as expected. Now that your defense lines are set up, you can go about taking other measures to ensure that your network remains secure.
Carl Constantine works for Open Source Solutions, Inc. (www.os-s.com) as a Linux Trainer and Programmer.
Discuss this article in the O'Reilly Linux Forum.
Return to the O'Reilly Network Hub.