I’ve had some thoughts for a while now about a self-contained firewall appliance built from some sort of embedded-like hardware and Linux. I’ve used custom firmware distributions like SveaSoft and DD-WRT for several years now and I’ve been very happy with the results. However, I’ve found them somewhat limiting in various ways, especially in regards to the hardware they’re used to running on. I also have a lot of concerns about the SveaSoft business model, apparent GPL violations, and the way the lead developer treats people who disagree with him. While I’m impressed with the technical merit of both firmwares, I wanted to do something that IS based on GPL, free-as-in-beer software, wasn’t limited by the hardware provided by Linksys/Cisco models, would allow me to experiment with some different things easily, and…well…look plain cool.

So I sat down and came up with some requirements that I would want this appliance to fulfill:

• Compact size
• Quiet
• Hardware-based encryption support
• Non-Windows friendly (Microsoft can eat me)
• Reliable, robust, and flexible firewalling system
• Web-based management and control of the box and its functions
• Multi-band wireless support
• Highly available

In addition to these requirements, I also had a list of ‘nice-to-haves’ that I’d like to try and incorporate into the design at some point:

• Physically secure
• Able to provide status/information at a glance
• Looks sharp!

I’ve done some research so far on the possibilities and wanted to write down my ideas thus far, and maybe get some inputs from anyone who happens to read this.

Compact Size & Quiet
Solving these issues is easy. A Mini-ITX form-factor motherboard will provide all the functionality of a normal computer in a 17×17 centimeter footprint. For this particular project, I think the Jetway J7F2WE1G5D motherboard will suit things perfectly. It is a Mini-ITX motherboard sporting VIA’s C7 processor line, and the CN700 chipset. The specs are quite impressive:

• Embedded VIA C7 BGA Processor
• CN700 Northbridge and VT8237R Southbridge chipsets from VIA
• Support for up to 1 GB of DDR2 533 (PC4200) RAM (1 DIMM slot)
• 2 ATA133 IDE controllers
• 2 SATA150 controllers with support for RAID 0 & 1
• Integrated UniChrome AGP Graphics with MPEG2 Acceleration
• 6 Channel AC’97 Audio Codec
• 1 10/100 Ethernet Controller
• 8 USB 2.0 ports (2 external, 6 internal headers)
• 2 Serial Ports (1 external, 1 internal header)
• 1 Internal Parallel Port header
• 1 PCI expansion slot

Additionally, motherboards from Jetway’s J7F2 line have a unique connector that supports custom expansion boards. This board combined with a 3x 10/100 or 3x 10/100/1000 expansion board will provide 4 individual network ports for WAN, LAN, DMZ and an auxiliary interface. This board has a CPU cooler that runs quiet thanks to the massive heatsink on the processor and Northbridge. Some additional passive coolers on other ICs on the board will help with cooling as well.

To further support quiet operation, I have to think about the other equipment going into this board. Since I want to keep it compact, a PCI ‘over-the-board’ riser will be needed to allow a single PCI card to rest horizontally over the motherboard, parallel with it. For quiet power, I think a PicoPSU will do the job nicely; I’ll have to take a look at the power requirements for the whole system, but I think the 120W model will suffice with power to spare.

For storage, an IDE Disk-on-Module type flash device should work nicely. I’m thinking 512MB should be more than enough, and I could even set up software RAID across both IDE channels on the board and enhance my reliability/availability requirements. My main concern with these is lifecycle; these are still flash devices and as such have a limited number of writes before they become useless. Another option would be to use a MicroDrive, which is an actual hard-disk, but these are expensive and I don’t know that 512MB varieties are available anymore.

Memory is another consideration. I would like to avoid swapping as much as possible (due to the write-lifecycle mentioned above), so I’m considering 512MB of DDR2-533 (PC4200) RAM. Is it cheesy to have as much RAM as HD space in a device?

Hardware Encryption
Another fortunate benefit of the Jetway motherboard and the embedded processor and chipsets on it is the addition of the VIA Padlock security engine. This part of the chipset provides hardware-based support for AES and RSA encryption, random number generation, SHA-1 and SHA-256 hashing algorithms, and ‘No-Execute’ protection.

Non-Windows Friendly
As I said above, Microsoft can eat me. Since I want this machine to be reliable and secure, using anything from MS is unacceptable; a logical solution to the problem is to use a Linux distribution. For a start I’m thinking of trying to merge the basics provided by OpenWRT with a homemade distribution based off of Linux-From-Scratch. OpenWRT can provide a good base and starting point for the kinds of utilities needed for wireless router management. LFS will provide a good medium to build a custom distribution that provides everything needed and goes beyond what firmware provides.

Robust Firewall
IPTables - need I say more? I understand it, it works well, and it has a crapload of nifty extensions that I can use to make a very creative and secure firewall for my network perimeter. Combining this with Linux’s built in traffic control functions I can set up some nifty QoS schemes to prioritize things going in and out of the network (and prevent my SSH sessions from lagging due to uploads). A few things I want to make sure I roll into IPTables on this project include:

• Netfilter’s Patch-O-Matic
• Layer 7 Traffic Filter
• GeoIP Firewalling (’racist routing’ be damned; I’ll gladly block all of Turkey and China from my network…spammy bastards!)

Web-Based/GUI Management
This one has me worried. Obviously the firmware out there puts a lot of focus on web-based management since that is the primary method of interfacing/managing the device. My initial thoughts are to create a custom interface using lighttpd, PHP, and SQLite. I’d like for the interface to be similar to those that are out there already (DD-WRT, SveaSoft, etc), yet extensible and able to handle changes to the internal hardware (new cards, etc). Obviously I want to to be secure as well. More to come on this as I think it over.

Multi-Band Wireless Support
I have a mixture of 802.11b and 802.11g devices on my personal network. Phasing the 802.11b devices out is expensive, but I don’t like running my 802.11g router in ‘compatibility mode’ since it slows the whole network down. The solution? Two wireless cards running in different modes to link and accomodate all of my devices at full speed. I’m looking at two Mini-PCI cards (brand to be determined) hooked up into a multi-mPCI-to-PCI adapter like the Routerboard 14. This would provide two extra Mini-PCI slots for expansion opportunities (a third wifi card, GPS module, etc).

Highly Available
The last thing I’d want with something like this is for it to lock up and be unable to reset to a good state or become beyond management reach. A simple solution to this problem is a watchdog timer. Originally I had planned on building one based on a circuit schematic and software from an old LinuxFocus article by Guido Socher but someone beat me to the punch, and a relatively inexpensive commercial model is available at LogicSupply. One of these, and a modified driver program based on the code from Guido’s article should work nicely.

Physical Security
We’re into the ‘nice-to-haves’ section now. I’d really like to make sure no one could steal this thing if I’m going to spend so much time building it. A few simple security measures will solve such problems:

• Chassis security screw(s)
• Two-way keyed power/reset switch
• Chassis intrusion switch
• Reinforced ’slot lock’ hole (e.g., a laptop cable lock)

These are probably overkill, but I think they’ll be a nice touch to such a custom project. Since the Jetway board doesn’t have a chassis intrusion header on it, I’ll have to build a custom circuit that’ll detect a switch changing states (e.g. tripped when case is opened) even if there is no power to the box itself. This will be part of the circuit explained below.

Informative
Two things I love about electronic gadgets: LEDs and LCDs. I would want to be able to look at this machine and have a good idea of what is going on with my connection to the Internet, and with the box itself. A USB-powered VFD from Matrix Orbital will do the job nicely. I can use the GPOs on this device to control an additional fan for cooling if I need to as well. As for LEDs, I’d like to have status lights for simple things on the device such as:

• WAN network link & activity
• LAN network link & activity
• DMZ network link & activity
• AUX network link & activity
• WLAN1 network link & activity
• WLAN2 network link & activity
• Chassis Intrusion
• Firewall activity
• Power
• Hard disk activity

The last two items are easy since they’re on the motherboard. For the rest, I have to work on some sort of custom circuit that will interface (ideally) with the parallel port header on the Jetway board and light the LEDs (or flash them) based on the events above. This circuit also needs to house the chassis intrusion circuit mentioned above. Since I’m hardware-challenged, I’m going to have to get some help with that but in general I think I’ll need:

• A small PCB (duuuh)
• 25-pin connector socket
• 12 LEDs - 2 with direct pins for connection to the motherboard (Power & HDD), and 10 under the control of the circuit based on the above items (network, firewall, CI). Since a parallel port only has 8 output lines, some ICs are probably going to be needed
• Memory - something like a latch or a D flip-flop that will trip when the CI switch is tripped and remember its state even after the switch is closed again
• Battery - I don’t think the parallel port can supply power when the system is off…my CI circuit will need to have constant power to be effective. A CR2032 should do the job I think.

This will require some work. My hardware and electronic skills are quite blowful. More research will be required.

Looks
Can’t have this thing looking shabby after all the work being done to make it slick. Unfortunately none of the Mini-ITX cases really look that nice to me, nor can they accomodate the additional pieces of this system like wifi antennae, the LCD and LED board I want to build. I looked around a little bit and found ProtoCase, a company that does custom enclosures, including Mini-ITX systems. I have a feeling this will be the long-pole in terms of cost for this system, but I’ll have to check it out and get some kind of quote from them, once I figure out how to do a CAD drawing.

So that’s about it. More to come on this project as I start it. If anyone has ideas/comments about this, drop me a comment.