Floppy Firewall 3.0 Best Practices
These are my "Best Practices" for how to set up the floppy firewall (ffw). Please note that this document is based on the 3.0 series ffw.
I assume you have read the installation and configuration instructions and that you already know how to set up a working ffw.
- 1: Always keep a backup of your latest working floppy.
- With Windows I suggest you use WinImage. Pop in your floppy, open winimage and choose "Disk -> Read disk" from the menu. Then choose "save" when the disk is read.
- In linux, open a shell and do: "dd if=/dev/fd0 bs=512 count=2880 of=myffw.img"
- 2: Always write protect your floppy when in the ffw. It keeps it safe from being changed in any way, and you'll always have a floppy that boots correctly.
- 3: Choose your packages according to your needs.
- I suggest these packages:
- SSH server: "dropbear" is a small SSH-server which allows you to remotely connect to your ffw and see status, make changes etc.
- Monitoring tool: "nanotop" is a package that displays bandwidth usage, CPU usage and memory usage. I simply can't live without it.
- Text editor: "e3" is a small text editor that simulates other well known editors. The built in "vi" editor is not very easy to use if you don't know it. "e3pi" (a part of the "e3" package) simulates the more modern (and easier to learn) nano/pico.
- I suggest these packages:
- 4: If you're on broadband, use wondershaper. Wondershaper makes sure you really get what you pay for in regards to your broadband connection. It takes care of shaping your connection to keep transfers more stable and keep the latency down. Ever experienced uploading something somewhere and all your downloads slow down to a crawl? Then you already know why you need wondershaper.
- 5: Protect Dropbear.
- If you're using dropbear, encrypt your password in the config. This is simply so that it is not human readable if someone should read your config file over your shoulder.
- Also, you should add your dss and rsa keys to the floppy. Like this: After your floppy has booted, copy the files "dropbear_dss_host_key" and "dropbear_rsa_host_key" from your live system and save them as "drop_dss.key" and "drop_rsa.key" in the packages folder on the floppy. This will ensure that dropbear uses the same keys even after a reboot.
- 6: If you've got an IP phone or using some other sort of VoIP technology, I strongly suggest you set up wondershaper with VoIP support. First of all, your VoIP device will need to have a static IP or static DHCP address. If you don't know how to set a static IP on your VoIP device, you're probably already using ffw as a DHCP server. Just modify the "ethers" file on the floppy with the MAC address from the device and give it an IP within the DHCP range specified in the config. Now modify the config file and set the VoIP ports. These should be supplied from your VoIP service provider. With this set up, your uploads and downloads will not affect your phone calls.