wiki:TheBestPractices

Version 4 (modified by opyrt, 8 years ago) (diff)

More typos

Floppy Firewall 3.0 Best Practices

These are my "Best Practices" for how to set up the floppy firewall (ffw). Please note that this document is based on the 3.0 series ffw.

I assume you have read the installation and configuration instructions and that you already know how to set up a working ffw.

  • 1: Always keep a backup of your latest working floppy.
    • With Windows I suggest you use WinImage?. Pop inn your floppy, open WinImage? and choose "Disk -> Read disk" from the menu. Then choose "save" when the disk is read.
    • In linux, open a shell and do: "dd if=/dev/fd0 bs=512 count=2880 of=myffw.img"
  • 2: Always write protect your floppy when in the ffw. It keeps it safe from being changed in any way, and you'll always have a floppy that boots correctly.

  • 3: Choose your packages after your needs.
    • I suggest these packages:
      • SSH server: "dropbear" is a small SSH-server which allows you to remotely connect to your ffw and see status, make changes etc.
      • Monitoring tool: "nanotop" is a package that displays bandwidth usage, CPU usage and memory usage. I simply can't live without it.
      • Text editor: "e3" is a small text editor that simulates other well known editors. The built in "vi" editor is not very easy to use if you don't know it. "e3pi" (a part of the "e3" package simulates the more modern (and easier to learn) nano/pico.
  • 4: If you're on broadband, use wondershaper. Wondershaper makes sure you really get what you pay for in regards to your broadband connection. It takes care of shaping your connection to keep transfers more stable and keep the latency down. Ever experienced uploading something somewhere and all your downloads crash towards a near halt? Then you already know why you need wondershaper.
  • 5: Protect Dropbear.
    • If you're using dropbear, encrypt your password in the config. This is simply so that it is not human readable if someone should read your config file over your shoulder.
    • Also, you should add your dss and rsa keys to the floppy. This will ensure that the ffw uses the same keys even after reboot.

(HERE I WILL HAVE TO WRITE HOW TO DO THIS)

  • 6: If you've got an IP phone or using some other sort of VoIP technology, I strongly suggest you set up wondershaper with VoIP support. First of all, your VoIP device will need to have a static IP or static DHCP address. If you don't know how to set a static IP on your VoIP device, you're probably already using ffw as a DHCP server. Just modify the "ethers" file on the floppy with the MAC address from the device and give it an IP within the DHCP range specified in the config. Now modify the config file and set the VoIP ports. These should be supplied from your VoIP service provider. With this set up, your uploads and downloads will not affect your phone calls.

This document was written by Kai Ove Gran