Build Your Own

PC Firewall

‘Stop those Hackers’

with

If you have an old 486DX PC or better stashed away

Index
think it no longer has any useful life. Well, now is your
chance to turn it into a dedicated firewall with
intrusion detection and logging!
MicroDIY
Stage Description Page
Introduction Gives details of why we need a Firewall 3
to protect our home or office computers

Step 1 Building the PC. What are the hardware 4

requirements to get a successful Firewall
Capable of handling up to ten computers.

Step 2 Building your PC Firewall. Details of 5

what hardware you need.

Step 3 The BIOS. Here you find the settings 6

within your BIOS to ge t your PC
up and running.

Step 4 Installing The Software & Configuring 7

Smoothwall Express 2.0

Key Features of Smoothwall Express 2.0

• NAT – network address translation – hide your computer IP address
• Stateful packet inspection – any network packet not requested from the GREEN side is rejected
• IP address tracking – trace those hackers using the in-build ‘Who is’ feature
• IP address blocking – create your own IP address block list
• Intrusion detection – find out who is ‘probing’ your network
• Comprehensive logging features – all events are logged for evidence
• Monitor network load graphically
• No monitor; keyboard or mouse required – once the firewall is properly built & configured
• Does not slow down the network or the broadband connection
• Remote shut down feature
• Automatically restarts when required – when a user logs onto the network

Note!! You may have been lead to believe that a router, with built in ADSL modem and
network switch, with NAT (network address translation) and stateful packet inspection, is all
that is required to be safe from hackers and that you don’t need a software solution (such as
Zone Alarm) or hardware firewall solution. Well, frankly your wrong! Extensive tests has
shown that with today’s internet activity, you would be mad not to invest in a firewall,
especially with the new threat from viruses such as the Sasser. Be safe! Get yourself a
firewall.

www.microdiy.co.uk Page 2 5/31/2004

MicroDIY
Introduction
If you are concerned with network security and would like to stop outside hackers getting to
your data, then this project gives you all the necessary tools to build your very own dedicated
network firewall from an old PC. It uses open source software based upon the renowned
stability of the Linux OS. It has all the features you would expect of any commercial
hardware package and when installed into a PC performs extremely well giving many
network tools to help you track, monitor and defend against those hackers. The only problem
is that it expects the user to have some background knowledge of networking to get their PC
Firewall up and running, as Linux is not very user friendly. However, I have tried to cover
every possible hardware configuration by installing the software many times to see which set
up produces the best and easiest to achieve configuration. See Fig.1 – Home network
connected to the internet via an ADSL Router.

What you need!

The PC – any old PC that you may no longer use – remember though, you still need
reliability. The Firewall will probably be left on all the time only shutting down when
instructed to do so by the last user from the Smoothwall Express 2.0’s browser interface.

You only require the tower for the actual Firewall. During the building
and setting up of the firewall you will require a monitor; mouse &
keyboard. The tower unit when properly configured will operate without
the monitor; mouse & keyboard!

So, why will an old 486 do the job and what would be the advantage if I used a Pentium class
of computer?

This Firewall is based around an Athlon 750Mhz

Motherboard - Matsonic MS8137C with Via Chip set
(KT133)

Well, it all comes down to the number of computers

which will access the internet via the Firewall. A
Pentium processor running at 500Mhz or more will
cope very well with up to 10+ computers accessing a
broadband internet connection without any noticeable loss of performance during file
downloads etc., while a 486DX computer should do fine with a single computer accessing the
internet. The more features enabled on the Firewall – such as intrusion detection will use up
those processor cycles very quickly.

You must download the installation guides and spend some time reading them before you
begin to build your firewall. The documentation is comprehensive giving full details of the
software installation process. However, you will find the different options difficult to follow
unless you decide upon which type of set up you want first.

www.microdiy.co.uk Page 3 5/31/2004

MicroDIY
This project assumes that you already have a home or small office network connected
through a network hub or switch. The firewall should be placed between the broadband router
and the network hub/switch see fig. 1.

RJ45 network socket in the attic. This is

where Smoothwall Express 2.0 joins
both sides of the network
together.

Fig. 1 GREEN Interface – Home network side of Firewall RED Interface– Internet Side of firewall

You may find it helpful to read the other network guide booklets alongside this one to be able
to get a better overview of the networking options available.

Step 1 – Getting the Software

Download the Smoothwall Express 2.0 ISO CD-Rom image file from:
http://www.Smoothwall Express 2.0.org/get/

You need to be able to create a bootable CD-Rom from the ISO image file. DO NOT simply
copy the files across onto a blank CD-Rom. The ISO image files at the beginning of the CD
are specially created to be recognized as a bootable CD-Rom, so burn your CD straight from
the ISO image file. Test the CD-Rom to make sure you can boot a computer from it. You can
use your own computer to do this by going into the BIOS and change the boot sequence to:
1st boot device - CD-Rom
When you have achieved the above successfully you are ready to begin building your
firewall. Remember to test your CD first as there is no point going any further if you cannot
boot and then load the files. There is an option to produce a bootable Floppy Disc, but I found
this unnecessary.

www.microdiy.co.uk Page 4 5/31/2004

MicroDIY
Step 2 – Building The PC Firewall
The next step involves the building of the computer. I would recommend that you go for
something approximately two years old, which will make the installation of the Linux
Smoothwall Express 2.0 software easier. Using brand new modern computer equipment (i.e.
the latest motherboards) is not recommended, even by the developers of the software, this is
because the latest motherboards use chip-sets which may not be recognized by the Linux OS.
Here is a list of the hardware you will need and system requirements:

• Motherboard with 500 - 750MHz processor with

o Wake-on LAN
o Power Saving feature S3 - Save to memory during sleep mode
• 1.2 Gigabyte hard drive or more – no more than 3 Gigabyte
• 64 Megabyte of Ram – max 128 Megabyte, any more is a waste
• On Board graphics or Basic PCI Video cards (S3 with 4 Megabyte of memory) avoid
AGP types
• USB port – if using a USB broadband connection – cannot comment on these!
• 2 – Network adaptors – one with Wake-on-LAN Netgear FA312 & FA311 work
well. (you only need 1 if using a USB broadband router)
• ATX Case with 300W ATX power supply – to support sleep mode
• CD-Rom drive – required to boot from software must support ACPI mode
• 3½” Floppy Drive (Not required if booting from CD-Rom)

The network cards have proved to be very difficult for some computer builders to install,
especially when using the same make/type/chipset of network adaptor. This is because,
Smoothwall Express 2.0 during the installation of the software looks first for the GREEN
interface network adaptor and then the RED interface network adaptor making it difficult to
tell which is which when the cards are the same. Removing the cards and swapping them
over after installing the software DOES NOT solve the problem, the cards MAC address will
be different. However, it really is very simple when you know the install logic behind Linux.
Linux scans each PCI slot in turn, starting with PCI slot 1 first. Put the graphics card in PCI
slot 1 and then put the adaptor card you want as the GREEN interface into PCI slot 2 with
Wake-on-LAN (WOL), that way you know straight away you have set the correct network
card with WOL as the green interface (your home or office network).

PCI slot 1

GREEN interface
Netgear’s FA312 network adaptor - WOL

You can put the Red network adaptor in any of

the remaining PCI slots or use the USB port – note!! you must have USB and serial ports
enabled on the motherboard BIOS even if you do not need them as this will halt the Linux
install process (Linux tries to find devices connected to these ports first, if you disable them,
Linux will halt at this point during the install).

www.microdiy.co.uk Page 5 5/31/2004

MicroDIY
I used a network adaptor with WOL for the green interface because I wanted the firewall to
automatically restart when booting a computer on the network; also I wanted the option to
remotely shut down the firewall from any of the computers on the network. Who ever is last
on the network to take the responsibility to shut down Smoothwall Express 2.0. I hoped to
have auto-sleep when no activity was detected but this option is NOT supported with Linux.
However, once the Smoothwall Express 2.0 has been shut down it will automatically be
restarted by the WOL feature. This is why you need a motherboard with WOL, as it saves
having to remember to switch on Smoothwall Express 2.0 every time you switch on your own
computer.
At first, problems were encounter during the re-booting process from the sleep state, as some
hardware was not detected properly – mainly the graphics cards I tested. To get round this
problem, the ‘Save to memory’ within the BIOS settings/options was selected and enabled,
as well as saving system Bios & Video bios to main memory. This makes sure that ‘all’
hardware is properly stored and preserved in memory ready for the re-booting of Smoothwall
Express 2.0. Also, turn off ‘Halt on all errors’ within the BIOS, that way you will be able to
disconnect the keyboard; monitor and mouse once the building of the firewall is completed.

RED interface – Netgear FA311 network adaptor

Step 3 – The BIOS

The BIOS set up is relatively straight forward provided you follow these settings, you may
have to search around your BIOS to find them:

1. Rest/clear the BIOS and renew the battery

2. At start up select - load system defaults
3. Turn off - ‘Halt on all errors’
4. Set Hard drive using auto-detect or leave all on AUTO
5. Set the following:
o Parallel ports - Disable
o Second Serial port – Disable
o On-board sound & Modem – Disable
o WOL (wake on LAN) - Enable
o USB port s 3 onwards – Disable (you MUST have 1 & 2 enabled or Smoothwall Express 2.0 will not load
correctly)
o Chip Set performance – set to NORMAL
o PCI Bus ‘0’ wait states – Disable
o PCI Prefetch – Enable
o PCI Buffer - Enable
o 3½ Floppy – None (Enable this option if you wish to boot from floppy)
o Memory settings – Set to Normal timings
o Ultra DMA – Enabled (check your CD-Rom supports this)
o VGA device – PCI
o PNP OS – Yes
o Reset configuration data – Yes (you must reset the CMOS first)
o Resources Controlled By – Auto (ESCD)
o PCI Master – ON
o Power On by PCI Card – Enabled
o ACPI Function – Enabled
o ACPI Suspend Type – S3 (STR – Suspend to Ram)
o PCI Master 0 WS – Disabled
o PCI Post Write - Enabled

www.microdiy.co.uk Page 6 5/31/2004

MicroDIY
Step 4 – Installing The Software & Configuring Smoothwall Express 2.0

The first part of the operation is straight forward. Simply pop the CD into the CD-Rom drive
and make sure the BIOS is set to – 1st boot Device CD-Rom and follow the on-screen
instructions. The Linux OS will try to detect all of your hardware. It is during this stage of the
setup you MUST allocate an IP address for the GREEN interface network adaptor see Fig 2.
When the GREEN interface is configured, you will be prompted that the rest of the files are
to be installed. When this is complete you will be prompted to remove the CD. Follow the on
screen instructions to configure Smoothwall Express 2.0, they are well documented but don’t
worry if you make a mistake you can always logon again and change the setting. These are
the components which require setting up:

• Keyboard Mapping – any standard keyboard will do

• Host Name (leave it set to ‘Smoothwall’)
• Web Proxy – skip not required
• ISDN – skip
• ADSL – skip (if you have a USB Speedtouch 330 Modem you will
need the Fixes3 up date see web for more details!)
• Networking - here you get to review your IP addresses (to use the set
up shown at Fig.1 – select GREEN + RED)

When you are done here, there are three passwords that you must set but make sure you
choose suitable passwords and make a note of them – you will be prompted for three:

• Admin ………………………………..
• Setup ………………………………..
• Root ………………………………..

The GREEN interface you configured first. You have the choice to use either your own IP
addresses or allow Smoothwall Express to act as a DHCP (Dynamic Host Control Protocol)
server. This means that the firewall will allocate an IP address to the computers on your
network when they boot up (note! You usually only ever have one DHCP server on a
network). This is where you may find problems, I did – getting the whole system to work
together i.e. Smoothwall and your ADSL router. All routers supplied with an integrated
ADSL modem by default are set to perform as a DHCP server and DNS (Domain Name
System) server. This is because of the routing of internet traffic through the router (Gateway),
each computers request on the network needs to be translated correctly and directed to the
internet via each DNS server ( you can have more than one of these). When the ADSL
modem logs onto your internet service providers server it requests the routing table ready to
perform the action of translating your browser requests into actual web address.

When Smoothwall Express 2.0 is operating you will be

able to see which services are running:

DHCP Server - STOPPED

DNS Server - RUNNING

www.microdiy.co.uk Page 7 5/31/2004

MicroDIY
So what is the solution?
Well, leave your router (Gateway) settings as they are (DHCP & DNS servers – ON) and
allow the router to continue to allocate IP addresses. I found that the RED interface was setup
much more easily this way (during Smoothwall’s set up process you don’t get to chose the
RED interface IP address). Turn OFF the DCHP option within Smoothwall Express 2.0 but
leave the DNS option set to ON. Smoothwall Express 2.0 will work like this:

1. Your network computer browsers make an internet request – Smoothwall DNS server
translates the request and passes it onto the RED interface. The RED interface IP
address is set by your ADSL router.
2. The router accepts the requests and translates the request in accordance with your
Internet Service Providers DNS servers – this way all internet traffic is handled
correctly.

Give the GREEN interface a fixed IP address, and don’t worry about your router, just make
sure that the IP address you use is high enough not to interfere with any other devices that
may connect to the router via wireless etc.
Make sure you make a note of the GREEN interface IP address that you have chosen; you
will need this when you configure each of the computers on the Home/Office network. The
GREEN IP address will be used to set the Gateway IP address within the ‘network options’
settings for each computer on the network. Now you can give each computer a fixed IP
address which must be just above the GREEN interface IP address. Use the following
diagram to help you set each of the computers IP address including Smoothwall’s.

Computer 1 – IP addresses
IP Address: 192.168.0.10
Sudnet Mask: 255.255.255.0

Default Gateway: 192.168.0.5

Preferred DNS server: 192.168.0.5

Computer 2 – IP addresses
IP Address: 192.168.0.11
Sudnet Mask: 255.255.255.0

Default Gateway: 192.168.0.5

Preferred DNS server: 192.168.0.5

Smoothwall Express 2.0 – Firewall

GREEN interface
IP Address: 192.168.0.5
Sudnet Mask: 255.255.255.0

RED interface set by router Router default settings:

IP address: 192.168.0.1

Fig. 2 – Network Configuration

www.microdiy.co.uk Page 8 5/31/2004

MicroDIY
To set up each computers network TCP/IP settings, go to; My Network Places and select;
View Network Connections to bring up this dialogue
box:

Highlight Internet Protocol (TCP/IP) and chose -

Properties

This will bring up the following options box:

Well, that is it, you’re all done. All you need to do now is download the update for smooth
wall. They are hidden in the ‘Archives’ section – they are as follows:

1. Fixes1
2. Fixes2
3. Fixes3

Download each of the files onto your computers hard drive. You may wish to do this before
you connect Smoothwall Express 2.0 as these update are required for some hardware
problems!

To Up-Load the files to Smoothwall – Logon to Smoothwall (see below) and select
‘Maintenance’

www.microdiy.co.uk Page 9 5/31/2004

MicroDIY
From here you need to ‘Browse’ to the location on your hard drive to find each of the updates
using the ‘Browse button.

Once you have found each of the files – upload each in turn. They must be installed in turn
starting with ‘Fixes1’ first – then reboot for the update to install before you repeat the above
for the other ‘Fixes’.

Your firewall is now ready to run. If all is well you should be able to get straight onto the
internet without any trouble. To Log onto Smoothwall use the following in your Browser
setting:

If you are unable to connect to the internet you should be able to logon to Smoothwall to
check your setting!

That’s it you’re all done! Good Luck!

www.microdiy.co.uk Page 10 5/31/2004