Linux Router Project Page

The Linux Router Project (LRP) and derivative distro branches are one of my favorite IT tools.
Ever dream of owning something similar to a Cisco 2500 series router or better? Tired of paying
thousands of dollars for one? Do you need a small Linux distibution that will scale down to a
single floppy disk or is expandable to span several or a CD? Do you want a STRONG home firewall
that you can make from old spare parts or find laying out in the trash or a friends garage?
Then this is probably just what you've been looking for. LRP ROCKS!!! Some versions can run on
a 386SX, but for the more recent versions/branches a 486DX33 with 16Megs of RAM is suggested
for cable modem users and an old Pentium 90 with suggested 24Megs of RAM should saturate a T1
WAN connection. Many of these are being used commercially and any module that is used in the
Linux kernel can be used. Current branches Dachstein and Oxygen use the 2.2.19 stable kernel and
some preliminary 2.4.x kernels are floating about. Some branches are configurable to use not
only a floppy, cdrom, or harddrive, but also flashdrives. Some people have built half-rack
2U router/bridge/firewalls and servers out of LRP. The coolest part is run on a write-protected
floppy, if the machine is compromised, you can just restart it and it is back to the original
setup...not even Cisco can guarantee that. All parts are common PC hardware typically, so you
can always find and buy hardware for it if something goes bad. I can go on for hours about this
sect, but if your interested check out the links and give a couple of them a try. I will list
the major distribution, branches, severed branches with a short, opinion of what that version
is best used for and also provide links for you to find out more/download. I hope you find
something of interest!!!

LRP-the Original

-Dave Cinege's baby from which all other's have pretty much been based off of. Development has been rather slow, but I'm looking forward to using the upcoming "Butterfly" release (LRPv4.0). The most recent has been 2.9.8 which uses the 2.2.x kernel. This distro is the best as a regular router and tool-kit distro.

Dachstein

-The brand new release of Charles Steinkuehler's, who with his last release (EigerStein), is probably the most used branch of all LRP-based distro's in the last year or two. He picked up Matthew Grant's "mountain" branch and started "extending scripts" to make Mr. Grant's release easier to use and add more server functions. Dachstein is used the most as a firewall, which with his scripts, are likely to be the strongest stock firewall I know of. It's fairly easy to setup if you know anything about networking and actually read the README.txt file. When run as a bridge and router is equally as functional. SSL, IPSec, a web-based monitor, a dhcp server, and web-proxy server are stock on this version. A cdrom version of Dachstein is in full development and is available for testing. He is also one of the primary developers at LEAF, the Linux Embedded Appliance Firewall megasite. This is what I use for my firewall at home.

Oxygen

-David Douthitt is another of LEAF's primary developers with his incredible new Oxygen branch. Although Oxygen can do all the firewall, routing, and bridging that almost all LRP derivatives do, he has taken a different direction in having Oxygen work best as a miniture scale "jack-of-all-trades" distro. Scalable from a single floppy to a full 7 in the present release, he is also in testing with an Oxygen cdrom that will do more than I could think of explaining here. Shoot, the floppy(s) release does more than I would think of listing here! At a 2.2.19 kernel now, a 2.4 series kernel is in testing with iptables and an available choice on the development cdrom. I always have Oxygen available for use when I need an outstanding tool!

FreeSCO

-Stands for "FREE ciSCO", but I would have to debate the truth to this claim, though it is another excellent distro. FreeSCO is used as a home firewall, a router, or a bridge like many other distro's, but they definately have their niche. This is IMHO the easiest of the bunch to setup and has the minimum requirements of the bunch. It requires a 386SX computer, 6Megs of RAM, and a floppy drive. There are many addons programs and things like web-based administration and dhcp, web, telnet, RAS, time, WINS, and print servers come stock. You can also use a harddrive fairly easily with FreeSCO. The downsides are security and being highly stable. Unlike the previous mentioned distros', FreeSCO must have a physical device for the swap file, so you can't write-protect the floppy and the only alternative is to use a harddrive that is writable. This means if the system crashes hard, at the wrong time, or it gets hacked, your router will have to have a new disk made and can be rootkit'ed. I have run older versions of the previous distro's with a downloadable FPU simulated kernel successfully with as little as 8 megs of RAM (though I would really suggest 12 Megs at a minimum). The firewall is also not very strong out of the box, so if you go with FreeSCO, I would highly recommend using a 3rd party product like Seattle Firewall (at the LEAF site) or writing your own. I have used FreeSCO many, many times for bridges and routers when time was important and security was not. This being said, it is truly an excellent distro that I do use.

Coyote Linux

-This distro is possibly the most known about distro, if not most used, of the bunch I am reviewing. Coyote branched completely from LRP a long time ago and is not opensource (atleast on the Windows portion) like the others. Coyote now comes in two flavors, the floppy disk version which is comparable to an easy to setup version of lrp-2.9.8 and an embedded version. Neither release has full funtionability of LRP, Dachstein, and Oxygen but is not far behind. The embedded version already offers a 2.4 kernel with Iptables, but it cannot be run on a floppy. The default firewall rules are about a middle group between FreeSCO and the other mentioned products and is acceptable to me for home use (you can also easily write a new firewall with LEAF's "Seattle Firewall"). This is an excellent distro (once again), especially for non-Linux guru's that need tons of functionality. I personally do not use it, but I am _very_ comfortable with my other options, so keep this in mind. Many, many people love it and would never think of using anything else.

There are many, many other similar products out there including Tom's firewall, PicoBSD, Smoothwall,
and honestly more than I could mention. I can't say that the ones that I've mentioned are
necessarily any better than any other products, but I can say that the ones mentioned are stable,
excellent products in current development (not obsolete). I would suggest these to anyone looking
for this type of product. I hope it's been helpful!

####################################
# LRP COMMAND HELP 2.2.x kernels ##
####################################

# to set the SILENT_DENY (no logging) option to Dachstein Firewall.

#SILENT_DENY="ProtoNumber_SourceAddress/Netmask_DestinationPort"
#Netmask and DestinationPort are optional

# rule in network.conf script to quit logging on certain packets
SILENT_DENY="[protocol#]_[source ip address]/[netmask]_[destination port#]
*note*-the netmask and destination port# are optional

# start the lrp configuration applet
lrcfg

The network script will bring up or down any network card:
# svi network
Usage: network start|stop|reload
network ifup|ifdown|ifreset eth0|eth1|eth2|all
network ipfilter load|flush|reload
network ipfilter list [input|output|forward|autofw|mfw|portfw]
network ipfilter list masq|masquerade

you can also use the net command
# net
Usage: net start|stop|reload
net ifup|ifdown|ifreset eth0|eth1|eth2|all
net ipfilter load|flush|reload
net ipfilter list [input|output|forward|autofw|mfw|portfw]
net ipfilter list masq|masquerade
IP COMMANDS
#ip address show - ifconfig
#ip address add 1.2.3.4/24 broadcast 1.2.3.4 dev eth0 up - ifconfig (options) eth0 up
#ip link set dev eth0 up - ifconfig eth0 up
#ip route show - route -n
#ip route add default via 1.2.3.4 - route add gw -net 1.2.3.4
#ip route add nat 1.2.3.4/8 via 192.168.1.10 table (-f inet)
#ip route add 192.168.0.0/24 via 192.168.0.1 dev eth0 [static route]
#ip way - arp -a -n
#ifcfg eth0 1.2.3.4/24
#netstat -i
#netstat -r

LOGS
#/var/log/syslog
#/var/log/messages

LOADING EXTRA MODULES
# mount -t msdos /dev/fd0 /mnt
# mv /mnt/* /lib/modules
# umount /mnt (or) umount msdos /mnt

#echo "1" > /proc/sys/net/ipv4/ip_forward

MY COMMON NIC SETUPS
#3c5x9 - set io=300,320 irq=10,11 with 3c5x9cfg DOS utility
#ne io=300 - also load the "8390" module
#smc-ultra io=300 irq=10

DUPLEX SETTINGS
# half-duplex for connections to Cable/DSL Modems and hubs. (default)
# full-duples for NIC-to-NIC, router, and most switch connections.

FIREWALL RUNNING RFC PRIVATE CLASS ADDRESS ON WAN CONNECTION
# edit /etc/ipfilter.conf and comment out the applied line of the function:

# #A function to filter out martian source addesses
stop martians () {
#RFC 1918/1617/1597 blocks
$IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/24 -d 0/0 -l $*

#then have it take effect with "svi network reload".

I hope this helps,

~Guitarlynn