More information on Firewall Builder, pre-built binary packages and source code, documentation and Firewall Builder Cookbook can be found on the project web site at www.fwbuilder.org. Watch Project Blog for announcements and articles on all aspects of using Firewall Builder.

This article demonstrates how you can work with Host objects in Firewall Builder.

The Host Object

The host object in Firewall Builder is designed to represent real hosts in the network: workstations, servers, and any other network node with an address. Just like real hosts, the host objects have interfaces, representing different physical connections to the network. Most Internet hosts will have just a single (visible) interface with a single IP address. In that case the actual interface and its name do not matter. For most foreign hosts, Firewall Builder will assign an arbitrary name “interface1” to the hosts interface. By using a tree-like hierarchy of hosts -> interfaces -> addresses it is possible however to specify the exact address and/or interface of a host in the case when it does matter. Both interfaces and addresses are represented by objects, which are organized in a tree. Interface objects sit in the tree directly under the host, and the address objects are located under their interfaces. The interface object can have either one or multiple addresses. An example of a host with one interface with multiple addresses is shown in the screenshot below. Host “test server” has three virtual IP addresses that all belong to the same interface “eth0”.

In Firewall Builder, the host object is an abstraction. It does not have to be restricted to an individual host. The following host object may represent single physical computer with three ip address, or a web farm that accepts connections on three IP addresses, each on a different computer.

Note: The host object cannot have any access, NAT or routing policy associated with it; only firewall objects can have policies.

Creating Host Object

To speed up the process and make it simpler, creating a new host object is aided by the wizard which collects all data needed for both the host and its interfaces and then creates the object. The screenshot above represents the first page of the wizard.

Enter the host name. Generally, this name does not have to be the same as the real host’s name. However, if you are going to use SNMP to populate the host’s interfaces, or if you are going to use DNS to look up interface IP addresses, the name does have to match.

You can create a new host from a template by checking corresponding checkbox on the first page of the wizard, or you can do it manually. Lets look at the manual process. To do this, click “Next” button to switch to the page where you can enter interfaces and their addresses.

If the new host object has a single interface (this, perhaps, is the most common case) then you just need to fill the entry field for its address and maybe MAC address and click Next. If the object’s name is the same as the real host name, then you can use the DNS Lookup button to get the address from DNS.

Here you can add interfaces to the new host object. Enter the interface name, address, and netmask in the appropriate fields, then click “Add” to add it to the list. (If the interface is dynamic or unnumbered, then click the appropriate checkbox instead of entering address information.) The “Update” button updates information for the interface that is selected in the list, and the “Delete” button deletes the currently selected interface.

This method only works for IPv4 addresses. If you need to add an IPv6 address, save the host object without the IPv6 address, then add the IPv6 address to the interface.

Note: You can always add, modify and remove interfaces of the new host object later using controls provided by the main window and the object tree view.

Editing a Host Object

The Host object dialog allows you to edit the following parameters:

• Name — The Host object name.
• MAC matching — If this option is activated, the policy compiler uses the MAC addresses of all interfaces of this host in the firewall rules. Not all firewall platforms support MAC address filtering, so this option may have no effect on the generated firewall script. This is treated as a non-critical situation, and the policy compiler will only generate a warning while processing a firewall policy where such a host is used.
• Comment — This is a free-form text field which can be used to add comments.

Using Host Object in Rules

When Host object is used in a rule, it acts as a group of all of its addresses, that is, adresses that belong to all of its interfaces. The only exception is loopback interface; compilers skip its address when they replace Host object with its addresses.

Consider the following Host object. It has interface eth0 with two IP addresses and a MAC address, interface he-ipv6 with IPv6 address and a MAC address, interface lo (loopback) with its own IP address and interface sit0 (tunnel) with no address.

Lets put this host object in a rule as follows:

The rule set is configured as “IPv4 only”, so even though interface he-ipv6 has IPv6 address, fwbuilder will ignore it while generating iptables commands for this rule. Interface eth0 has two IPv4 addresses and both will be used. Here are iptables commands generated for this rule:

$IPTABLES -A FORWARD -p tcp -m tcp –dport 22 -m state –state NEW -j Cid6066X5981.1
$IPTABLES -A Cid6066X5981.1 -d 10.3.14.44 -j ACCEPT
$IPTABLES -A Cid6066X5981.1 -d 10.3.14.55 -j ACCEPT
$IPTABLES -A Cid6066X5981.1 -d -j ACCEPT

Lets see what we get for the same rule if we configure rule set object as “IPv4+IPv6″:

Since rule is now configured to compile for both address families, fwbuilder processes it twice, using on each pass only those addresses of the host that match address family. Here is what we get (these are relevant fragments of the generated script):

# ================ IPv4

$IPTABLES -A FORWARD -p tcp -m tcp –dport 22 -m state –state NEW -j Cid6066X5981.1
$IPTABLES -A Cid6066X5981.1 -d 10.3.14.44 -j ACCEPT
$IPTABLES -A Cid6066X5981.1 -d 10.3.14.55 -j ACCEPT
$IPTABLES -A Cid6066X5981.1 -d -j ACCEPT

# ================ IPv6

$IP6TABLES -A FORWARD -p tcp -m tcp –dport 22 -m state –state NEW -j Cid6066X5981.1
$IP6TABLES -A Cid6066X5981.1 -d fe80::a3:e2c -j ACCEPT

More information on Firewall Builder, pre-built binary packages and source code, documentation and Firewall Builder Cookbook can be found on the project web site at www.fwbuilder.org. Watch Project Blog for announcements and articles on all aspects of using Firewall Builder.

Firewall Builder supports variety of object types, both simple such as address, network, host, or IP, TCP, UDP and ICMP services, as well as more sophisticated such as Firewall, Host, Address table, DNS name, User service. Firewall object is central to the program and is in the focus of this article.

General Description

A firewall object is designed to represent a real firewall device in your network. This firewall object will have interface and IP address objects that mirror the real interfaces and IP addresses of the actual device. In addition, the firewall object is where you create the access policy rule sets, NAT rule sets, and routing rule sets that you assign to your firewall device.

By default, a firewall has one Policy rule set, one NAT rule set, and one routing rule set. However, you can create more than one rule set using branching rules (for firewalls that support them). On the other hand, you don’t have to populate all the rule sets. You can, for example, create a Policy ruleset and leave the NAT and Routing rule sets empty. We explains more about policies and rule sets below.

To speed up the creation of a firewall object, Firewall Builder has a wizard that walks you through creating the object. The wizard has three options for creating a firewall object:

• From a template: Firewall Builder comes with several pre-defined templates. You can use these to create a firewall that is close to your configuration, the modify it to fit your needs. This method is demonstrated in the “Getting Started with Firewall Builder” here or here.
• Manually: You can provide interface IP address, subnet mask, gateway, and other parameters manually. You can add this information when you create the firewall, or you can add it later.
• Via SNMP: Firewall Builder uses SNMP queries to learn about the network.

Creating Firewall Object Manually

To start the firewall object creation wizard, right-click the Firewalls folder in the User tree and select New Firewall.

The first page of this wizard is displayed.

Give the firewall object a name. Usually, this name will be the same name as the device, but it doesn’t have to be if you’re assigning interfaces manually. (If you will use SNMP or DNS to populate the interfaces, then the name must be the same as the device name.) Then specify the firewall software and OS. Leave the Use pre-configured template firewall objects checkbox unchecked. Click Next.

Select Configure interfaces manually and click Next.

Use this screen to add firewall interfaces. Populate the following fields for an interface, then click Add to add the interface. Then, populate the fields again for the next interface. If you make a mistake, click on the interface in the list, make your changes, then click Update.

• Interface type: Indicate the type of interface. We explain interface types in more detail below. Briefly, though, a Regular interface has a static IP addresses, a Dynamic address interface has a dynamic address provided by something like DHCP, an Unnumbered interface never has an IP address (PPPoE connection, for example), and a Bridge por t is an interface that is bridged in the firewall.
• Name: The name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like “eth0″, “eth1″, “en0″, “br0″, and so on.
• Label: On most OS’s this field is not used and serves the purpose of a descriptive label. The label is mandatory for Cisco PIX though, where it must reflect the network topology. Firewall Builder GUI uses the label, if it is not blank, to label interfaces in the tree. One of the suggested uses for this field is to mark interfaces to reflect the network topology (’outside’, ’inside’) or interface purpose (’web frontend’ or ’backup subnet’).
• Address: If the interface has a static IP address, specify it here. (In Firewall Builder version 3, this must be an IPv4 address. If you need it to be an IPv6 address, create the interface without an IP address, then add the IPv6 address after you have created the firewall object.)
• Netmask: Use either a traditional netmask (255.255.255.0) or slash notation (24, without the actual slash) to specify the interface netmask.
• MAC: If you like, you can also specify the interface physical address. The MAC address is not necessary, but it can be used to combat spoofing. If the feature is turned on and available, and interface object with MAC address is used in a policy rule, then the firewall will only accept packets from the given IP address if the MAC address also matches the one specified.

Once all the interfaces are configured, click Finish to create the new firewall object.

Note: You can always add, modify and delete interfaces later using controls provided in the main window.

Creating Firewall Object using SNMP discovery

If your firewall runs SNMP daemon, you can save yourself some time by using SNMP discovery to automatically create interfaces of the new firewall object.

Start by checking checkbox “Use SNMP” on the second page of the wizard and enter SNMP “read” community, then click button “Discover interfaces using SNMP”.

Firewall Builder will run series of SNMP queries to the firewall to read the list of interfaces and their addresses. Both IPv4 and IPv6 address can be imported. For IPv6 the firewall must support IP-MIB RFC4293. Once discovery process finishes, click “Next”.

Next page of the wizard offers an opportunity to review discovered interfaces and make adjustments if necessary. To change something, highlight an interface, edit its parameters in the dialog, then click “Update”. Finally when the process is done and you click “Finish” in the wizard, the program creates new firewall object in the tree and adds all configured interfaces and their addresses.

Editing Firewall Object

The Firewall Object represents the firewall machine and is the most complex object in Firewall Builder. It has three sets of controls that you can modify, not including the policy rule sets. All these controls become available when you double-click the firewall object in the tree.

The base controls let you specify the basic settings of the firewall, such as the name and firewall platform.

• Name: Specify/change the name of the firewall object.
• Platform: Specify/change the firewall software.
• Version: Specify/change the version number of the firewall software. In most cases, you can leave this set to any.
• Host OS: Specify/change the host operating system of the firewall device.
• Inactive firewall: Check this box to make the firewall inactive. The firewall name will change to a regular font (instead of bold) to indicate that it is inactive, and the firewall will not be available for compiling or installation. Essentially, it’s a way to “comment out” the firewall without deleting it.
• Host OS Settings: Opens the Advanced Settings dialog for the indicated Host OS.
• Firewall Settings: Opens the Advanced Settings dialog for the platform/firewall software.

Host OS Settings Dialog

For explanations of the various controls, click the Help button in the dialog.

Firewall Settings Dialog

For explanations of the various controls, click the Help button in the dialog.

Interface Object

Interface objects belong to firewall or host objects. Interface objects cannot exist alone. The dialog for the interface object that belongs to the firewall or host provides controls for the parameters described here.

• Name: The name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like “eth0″, “eth1″, “en0″, “br0″, and so on.
• Label: On most OS’s this field is not used and serves the purpose of a descriptive label. Firewall Builder GUI uses a label, if it is not blank, to show interfaces in the tree. One of the suggested uses for this field is to mark interfaces to reflect the network topology (’outside’, ’inside’) or the purpose (’web frontend’ or ’backup subnet’). The label is mandatory for Cisco PIX though, where it must reflect the network topology.
• Management interface: When firewall has several network interfaces, one of them can be marked as the ’management interface’. The management interface is used for all communication between Firewall Builder and the firewall. For example, built-in policy installer uses address of the management interface to connect to the firewall via ssh when it copies generated script or configuration file to it.
• External interface (insecure): Marks an interface that connects to the Internet.
• Unprotected interface: Marks interface to which Firewall Builder should not assign any access lists or firewall rules. Unprotected interfaces are recognized by policy compilers for Cisco IOS access lists and PF. Compiler for IOS ACL just skips unprotected interfaces and does not assign any ACL to them when it choses which interface to associate given ACL with. Compiler for PF generates “set skip on <interface_name>” clause for unprotected interfaces.
• Regular Interface: Use this option if the interface has an IP address assigned to it manually (static IP address).
• Address is assigned dynamically: Use this option if the interface has a dynamic address (obtained by means of DHCP or PPP or another protocol). In this case an address is unknown at the moment when Firewall Builder generates the Firewall policy. Some firewalls allow for using the interface name in the policy instead of its IP address; the firewall engine then picks its address either when the policy is activated or even at run-time. Some other firewalls support special syntax for rules that are supposed to match packets headed to or from the firewall machine. Examples of these two cases are OpenBSD PF and Netfilter. PF rules can be constructed using interface names; PF automatically uses the current interface address when it loads rules into the memory. Netfilter supports special “chains” called “INPUT” and “OUPUT” that are guaranteed to inspect only packets headed for the firewall machine (“INPUT”) or originated on it (“OUTPUT”). Both methods allow Firewall Builder to build correct firewall policy rules that affect the interface with a dynamic IP address, however the interface must be marked as such for the policy compiler to use proper technique depending on the target firewall platform. In cases where the rule has to use actual IP address of the interface (example: anti-spoofing rules), compiler emulates this feature by adding shell script fragment to determine the address at the time when firewall script is executed and then uses the address in rules. Such emulation is only possible on platforms where firewall configuration is in the form of the shell script, most notably this is iptables script on Linux.
• Unnumbered interface: Use this option if the interface can never have an IP address, such as the Ethernet interface used to run PPPoE communication on some ADSL connections, or tunnel endpoint interface. Although unnumbered interface does not have an address, firewall policy rules or access lists can be associated with it.
• Bridge port: This option is used for port of bridged firewall. Compilers skip bridge ports when they pick interfaces to attach policy and nat rules to. For target firewall platforms that support bridging and require special configuration parameters to match bridged packets, compilers use this attribute to generate proper configuration. For example, in case of iptables compiler uses -m physdev –physdev-in or -m physdev –physdev-out for bridge port interfaces.
• Security level: Depending on the firewall platform, the security level is either External/Internal or a numeric value between 0 and 100, with 0 being least secure and 100 being most secure levels. This field in the GUI dialog automatically shows controls appropriate to the current firewall. Not all firewall support the concept of a security zone.
• Network zone: Network zone of this interface, used only with Cisco PIX (ASA). Network zone drop-down list shows all network objects and groups of addresses and networks present in the tree. Choose one of them to tell the compiler which networks and blocks of addresses can be reached through this interface. Usually the external interface (the one which connects your firewall to the Internet) has the Network Zone set to Any. It is also recommended that you create a group of objects to represent Network Zones for all other interfaces on the firewall. The compiler uses this information to decide which interface each ACL rule should be associated with based on the addresses used in the destination of the rule.

We will take a look at other object types in the next article.

More information on Firewall Builder, pre-built binary packages and source code, documentation and Firewall Builder Cookbook can be found on the project web site at www.fwbuilder.org. Watch Project Blog for announcements and articles on all aspects of using Firewall Builder.

This article demonstrates one of the more advanced features of Firewall Builder – built-in Revision Control System (RCS).

Firewall Builder GUI has built-in revision control system that can be used to keep track of changes in the objects and policy rules. If data file has been added to the revision control system, every time it is saved, the system asks the user to enter a comment that describes changes done in the file in this session and stores it along with the data. The program also assigns new revision number to the data file using standard software versioning system with major and minor version numbers separated by a dot. When you open this data file next time, the program presents a list of revisions alongside with dates and comments, letting you choose which revision you want to use. You can open the latest revision and continue working with the file from the point where you left off last time, or open one of the older revisions to inspect how the configuration looked like in the past and possibly create a branch in the revision control system. Here we take a closer look at the built-in revision control system.

We start with a regular data file which we open in the Firewall Builder GUI as usual. Note that the name of the file appears in the titlebar of the main window, here it is [test2.fwb]:

You can always see additional information about the file using main menu File/Properties. There is not much the program can report about this file that we do not know already. It shows full path where it is located on the file system and the date and time of last modification, but otherwise since it has not been added to the revision control system, there is no additional information it can report.

To start tracking revisions of this data file, use menu File/Add File to RCS, the program creates all necessary files and reports result in a pop-up dialog. If for some reason adding file to the revision control has failed, the program reports error in the same pop-up dialog. Firewall Builder FAQ “Using RCS” has a list of typical problems that may occur at this point.

Few things have changed in the GUI after the file has been added to the revision control system. First, besides its name the titlebar now shows its revision. Inital revision number after the file has just been added to the revision control is 1.1.

The File/Properties dialog shows that the file is now being tracked by revision control system and its current revision is 1.1. There is only one revision in the history and the comment is “Initial revision” which is added automatically by the program.

Let’s see how revision control system keeps track of the changes done in the data file. To demonstrate this, I am going to make a change in one of the objects, save the data file and check it (this creates new revision), then I’ll close it and open it again, first the latest revision where the change is present, and then previous revision where the change is absent.

Here is the rule set of this firewall I have started with, it is very simple and consists of just 5 rules:

Now I added one more rule (to permit HTTP to the firewall). This is rule #3, it is colored yellow:

Now I save ths file using menu File/Save and exit the program. Before I can do that, however, the program tries to check the file in to the RCS and presents a dialog where I can add a comment to document the change I made. I enter the comment and press Check file in button to complete operation. The file is now checked in and the program exits.

Now I restart the program and try to open the same file using File/Open. Since the file is now in RCS, the program presents the dialog with the list of its revisions. Each revision has a comment associated with it, shown at the bottom of the dialog. Note also that each revision also shows the user name of the user who checked it in which is very useful in a multi-user environment.

If I choose revision 1.2 (the latest) and open the file using button Open, I get my rules including rule that permits HTTP to the firewall:

If I choose revision 1.1 and open the file, I get the policy that looks like this (note revision number in the main window titlebar, it is 1.1):

The rule to permit HTTP to the firewall is not there because I opened old revision of the data file. Essentially, I rolled back the change I made in rev 1.2. If I only wanted to look how rules looked like in rev 1.1, then I can now just close the file and open its latest revision to continue working with it. I can not only just look at the rules in the old revision, I can compile them and install on the firewall if that is what I need to do. Note that this can break things if some protocols were added to the firewall rules later, but this can be useful if you need to test things as they were few days ago.

However if I want to roll back the change and continue without it, all I need to do is make the change in this revision (1.1) and then save and check it in. This will create a branch in RCS and I will be able to continue working with it later. The previous change, checked in as rev 1.2 will always be there though and I will always be able to revert to it if I want. The program does not merge branches, merging changes in XML files is a complex task and is not implemented at this time.

To illustrate creation of a branch, I am making a change to the revision 1.1 of the data file as shown on the next screenshot:

I then save and check this file in with appropriate comment. To check it in I use menu File/Commit. I then close the file using File/Close and reopen it again using File/Open. This accomplishes the same operation as in the example above in this document, except I do not close the program. When I try to open it, the program shows the branch and new revision 1.1.1.1 that I just created. Note that the time of the revision 1.1.1.1 is later than the time of revision 1.2:

Now if I open rev 1.1.1.1 and continue working with and check new changes in, the program will create revision 1.1.1.2 and so on.

This document demonstrates how built-in revision control system (RCS) in Firewall Builder GUI can be used to document changes in the file. It can also be used to roll back changes to previous revision both temporary or permanently. Using RCS helps establish accountability if several administrators can make changes to the policy of firewalls because RCS keeps track of the user name of user who checked changes in. RCS in Firewall Builder works on all supported OS, that is Linux, FreeBSD, OpenBSD, Windows and Mac OS X. On Linux, *BSD and Mac OS X it relies on system-wide installed rcs package, while on Windows rcs tools are installed as part of the Firewall Builder package. In general, I recommend always using RCS even in simple cases when only one administrator uses the tool. Ability to document changes and roll back if necessary are great advantages that help a lot to improve the process of security policy management.

More information on Firewall Builder, pre-built binary packages and source code, documentation and Firewall Builder Cookbook can be found on the project web site at www.fwbuilder.org. Watch Project Blog for announcements and articles on all aspects of using Firewall Builder.

After firewall configuration has been generated by one of the policy compilers and saved in a file on disk in the format required by the target firewall, it needs to be transferred to the firewall machine and activated. This function is performed by the component we call “Policy Installer” which is part of the Firewall Builder GUI.

Starting with version 2.0, Firewall Builder comes with built-in installer that uses SSH to communicate with the firewall. Installer works on all OS where Firewall Builder is available: Linux, FreeBSD, Windows and Mac OS X. On Linux, *BSD and Mac OS X it uses standard ssh client that comes with the system; on Windows it uses putty.

Installer needs to be able to copy generated firewall script to the firewall and then run it there. In order to do so, it uses secure shell. The program does not include ssh code, it uses external ssh client. On Linux, BSD and Mac OS X it uses standard ssh client ssh and secure shell file copy program scp that come with the system; on Windows it uses plink.exe and pscp.exe. Full directory path to ssh client program can be configured in the Preferences dialog (accessible via Edit/Preferences menu), however if you are on Linux, *BSD or Mac and use standard ssh client that is available via your PATH environment variable, you do not need to change default value there.

Installer works differently depending on the targert platform. In case of Linux and BSD based firewalls it uses scp to copy generated configuration files to the firewall machine and then uses ssh to log in and run the script. In case of Cisco routers or ASA appliance (PIX), it logs in, switched to enable and then configuration mode and executes configuration commands one by one in a manner similar to expect scripts. It inspects router’s replies looking for errors and stops if it detects one. In the end, it issues command write mem to store new configuration in memory and logs out.

Built-in policy installer has been designed to work with dedicated firewall machine, that is, when computer where you run Firewall Builder GUI and actual firewall are different machines. Nevertheless, it can be used when they are the same machine as well. The only difference is that in all commands below you would use the name or address of the machine where you run Firewall Builder instead of the name or address of the dedicated firewall. SSH client will then connect back to the same machine where it runs and everything will work exactly the same as if it was different computer.

How does installer decide what address to use to connect to the firewall

Installer does not use the name of the firewall to connect to, it always connects to its IP address. It starts by scanning interfaces of the firewall object looking for one that is marked as “Management interface” using checkbox in the interface object dialog. Installer will use address of this interface to connect to. The “management interface” checkbox looks like shown on the next screenshot:

If your firewall has multiple addresses and you want to use the one that is not assigned to its interface in the fwbuilder object, then you can overwrite the address using entry field in the “installer” tab of the “advanced” firewall object settings dialog, like this:

More about other input fields in this dialog below.

Finally you can overwrite the address on one-time basis just for the install session using entry field in the installer options dialog. This is the same dialog where you enter password:

This works for all supported firewall platforms, i.e. iptables on Linux, pf on OpenBSD and FreeBSD, ipfw on FreeBSD and Mac OS X, ipfilter on FreeBSD, Cisco IOS access lists and Cisco ASA (PIX). Regardless of the platform, installer follows the rules described here to determine what address it should use to connect to the firewall.

Configuring installer on Windows

You can skip this section if you run Firewall Builder GUI on Linux, *BSD or Mac OS X.

Here is the link to slide show that demonstrates the process.

Download and install putty.exe, plink.exe and pscp.exe somewhere on your machine (say, in C:putty). Download URL is http://www.chiark.greenend.org.uk/~sgtatham/putty/

Installer does not use putty.exe but it will be very useful for troubleshooting and for setting up sessions and ssh keys.

In the Edit/Preferences dialog, in the “SSH” tab, use “Browse” buttons to locate plink.exe. Hit “OK” to save preferences. If you installed it in C:putty, then you should end up with C:puttyplink.exe in this entry field. Do the same to configure path to pscp.exe.

You may log in to the firewall using regular user account or as root. See instructions below for an explanation how to configure sudo if you use regular user accounts. This part of the configuration does not depend on the OS you run Firewall Builder.

Before you try to use fwbuilder installer with plink.exe and pscp.exe, test it from the command line to make sure you can log in to your firewall. If this is the first time you try to log in to the firewall machine using putty.exe, plink.exe or pscp.exe, then it will discover new host key and ask you if it is correct and if you want to save it in cache. There are lots of resources on the Internet that explain what does this mean and how you should verify key accuracy before you accept it. If the key is already known to the program it will not ask you about it and will just proceed to the part where it asks you to enter password. Enter the password and hit “Return” to see if you can log in and see command line prompt from the firewall.

Here is the command (assuming you use account “fwadmin” to manage firewall “guardian”):

C:Usersvadim>c:PuTTYplink.exe -l fwadmin guardian

NOTE: Built-in installer does not use GUI ssh client putty.exe, it uses command line utilities that come from the same author plink.exe and pscp.exe. You can test with putty.exe but do not enter path to it in the SSH tab of the Preferences dialog in fwbuilder, it won’t work.

Configuring installer to use regular user account to manage the firewall:

Before v3.0.4 built-in installer could only use regular account to activate policy if this account was configured on the firewall to use sudo without password. Starting with v3.0.4 this is not necessary anymore because installer can recognize sudo password prompts and enter password when needed.

• Create an account on the firewall (say, “fwadmin”), create a group “fwadmin” and make this user a member of this group. Most modern Linux systems automatically create group with the name the same as the name of the user account.

  useradd fwadmin

• Create directory /etc/fw/ on the firewall, make it belong to group fwadmin, make it group writable

  mkdir /etc/fw
  chgrp fwadmin /etc/fw
  chmod g+w fwadmin /etc/fw

• Configure sudo to permit user fwadmin execute firewall script and a couple of other commands used by fwbuilder policy installer. Run visudo on the firewall to edit file /etc/sudoers as follows:

  Defaults:%fwbadmin !lecture , passwd_timeout=1 , timestamp_timeout=1
  # User alias specification
  %fwbadmin ALL = PASSWD: /etc/fw/<FWNAME>.fw , /usr/bin/pkill , /sbin/shutdown

  here <FWNAME> is the name of the firewall. Installer will log in to the firewall as user fwadmin, copy firewall script to file /etc/fw/<FWNAME>.fw and then use the following command to execute it:

  ssh fwadmin@firewall sudo -S /etc/fw/<FWNAME>.fw

  Installer needs to be able to run pkill shutdown to kill shutdown command that may be running if you tried to install policy in testing mode before. In testing mode installer copies firewall script to temporary directory /tmp then runs command shutdown -r timeout to schedule reboot in a few minutes and finally runs firewall script. To cancel scheduled reboot you need to install policy again, with test mode checkbox turned off. In this case installer will copy firewall script to its permanent place and use pkill to kill running shutdown command to cancel reboot.

• set up ssh access to the firewall. Make sure you can log in as user fwadmin using ssh from your management workstation:

  ssh -l fwadmin <FWNAME>

  You may use either password or public key authentication; the installer will work either way. Use putty.exe or plink.exe to test ssh access if you are on Windows (see above for the explanation how to do this on Windows).

• in the “installer” tab of the “firewall settings” dialog of the firewall object put user name you use to log in to the firewall (here it is “fwadmin”):
• if you need to use alternative name or IP address to communicate with the firewall, put it in the corresponding field in the same dialog page
• Make sure entry field “directory on the firewall where script should be installed” is set to /etc/fw. Firewall Builder is not going to create this directory, so you need to create it manually before you install firewall policy (see above).
• Leave “Policy install script” and “Command line options” fields blank.

Configuring installer if you use root account to manage the firewall:

• Create directory /etc/fw/ on the firewall, make it belong to root, make it writable
• set up ssh access to the firewall. Make sure you can log in as root using ssh from your management workstation:

  ssh -l root <firewall_name>

  You may use either password or public key authentication; the installer will work either way.

• in the “installer” tab of the “firewall settings” dialog of the firewall object put “root” as the user name you use to log in to the firewall
• Make sure entry field “directory on the firewall where script should be installed” is set to /etc/fw
• Leave “Policy install script” and “Command line options” fields are blank

Configuring installer if you regularly switch between Unix and Windows workstations using the same .fwb file and want to manage the firewall from both

First of all, the .fwb file is portable and can be copied back and forth between Linux/BSD and windows machines. Even comments and object names entered in local language should be preserved since the GUI uses UTF-8 internally.

Built-in installer relies on path settings for ssh and scp in Edit/Preferences/SSH. Since preferences are stored outside of the .fwb file, the installer should work just fine when .fwb file is copied from Unix to Windows and back. Just configure path to ssh program in preferences on each system using default settings “ssh” on Linux and path to plink.exe on windows and give it a try.

Always permit SSH access from the management workstation to the firewall

One of the typical errors that even experienced administrators make sometimes is block ssh access to the firewall from the management workstation. You need your workstation to be able to communicate with the firewall in order to be able to make changes to the policy, so you always need to add a rule to permit this. Firewall Builder can simplify this and generate this rule automatically if you put an IP address of your workstation in the entry field on the first page of firewall settings dialog. Here is the screenshot that illustrates this setting for an iptables firewall; management station has an IP address 192.168.1.100

Using putty sessions on Windows

putty allows one to store destination host name or address, user name and bunch of other parameters in a session so that they all can be called up at once. If you wish to use sessions, do the following:

• Configure putty as usual, create and test session for the firewall, test it using putty outside of the Firewall Builder. When you use session, firewall host name and user name are stored in the session file. Firewall Builder allows you to enter session name in the entry field in the firewall settings dialog where you would normally enter alternative address of the firewall. Comment next to the entry field reminds you about this. Just type session name in that field, leave user name field blank and save the settings.
• Once you start the installer, do not enter user name in the “User name” field on the first page of installer wizard, however you need to enter the login and enable passwords. Configure the rest of installer options as usual, they do not change when you use putty sessions.

How to configure installer to use alternative ssh port number

If ssh daemon on your firewall is listening on an alternative port, then you need to configure built-installer so that it will run scp and ssh clients with command line parameters that would make them connect to this port. This is done in the “installer” tab of the firewall object “advanced” settings dialog as shown on the following screenshot (here we set the port to “2222″):

On Unix command line option that specifies port number is different for ssh and scp. It is lowercase -p for ssh and uppercase -P for scp. If you use putty tools plink.exe and pscp.exe on Windows, the option to specify alternative port number is -P (capital “P”) for both.

You can use the same input fields in this dialog to add any other command line parameters for ssh and scp, for example this is where you can confiugre parameters to make it use alternative identity file (private keys). This information is saved with a firewall object rather than globally because you may need to use different parameters for different firewall machines, such as different key files or ports.

How to configure installer to use ssh private keys from a special file

You can use the same entry fields in this dialog to provide other additional command line parameters for ssh and scp, for example to use keys from a different identity file. Here is how it looks like:

Here I configure ssh and scp to use alternative port and alternative identity file ~/.ssh/fwadmin_identity. The command line parameter for the port is different for ssh and scp, but parameter for the identity file is the same -i for both utilities.

On Windows, the simplest way (or may be the only way) to use alternative keys is to use putty sessions.

Troubleshooting ssh access to the firewall

Built-in policy installer will not work if ssh access to the firewall is not working. Test it using this command on Linux if use you user “fwadmin” to manage firewall:

ssh -l fwadmin firewall

If you use root account to manage the firewall, the command becomes

ssh -l root firewall

On Windows use putty.exe or plink.exe to do this:

C:Usersvadim>c:PuTTYplink.exe -l fwadmin firewall

C:Usersvadim>c:PuTTYplink.exe -l root firewall

If you can not log in using ssh at this point, verify that ssh daemon is working on the firewall, that existing firewall policy does not block ssh access and ssh daemon configuration in /etc/ssh/sshd_config permits login for root (if you plan to use root account to manage the policy).

Running built-in installer to copy generated firewall policy to the firewall machine and activate it there.

Now that all preparations are complete, we can move on and actually try to install newly generated firewall policy. Select firewall object in the object tree in Firewall Builder GUI, click right mouse button and use menu item “Install”. The program will recompile the policy and open installer dialog.

(This how installer options dialog looks like for iptables, pf, ipfilter and ipfw firewalls).

Here the program already entered user name fwadmin in the “User Name” field, but you can change it for one installation session if you wish. Next you need to enter the password for this user. This is the password of user fwadmin on the firewall machine. Address that will be used to comunicate with the firewall is also entered by the program automatically, it is taken from the firewall settings. You can change it for one installation session as well.

Other installer parameters do the following:

• Quiet install: as the name implies, this checkbox suppresses all progress output of the installer
• Verbose: this checkbox has the opposite action, it makes the installer print a lot of debugging information, including ssh client debug output.
• Store a copy of fwb file on the firewall: if this checkbox is on, the installer will copy not only generated firewall configuration files to the directory on the firewall machine which is configured in the “installer” tab of the firewall object dialog, but also original .fwb data file as well. Use of this option is discouraged if you manage many firewalls from the same .fwb file because distributing file that contains security policy of multiple firewalls to all of them is a bad idea.
• Test run: if this checkbox is on, policy installer will copy firewall configuration files to a temporary directory on the firewall and will run them from there. The intent is to test generated configuration without making it permanent. If firewall machine reboots, it will activate previous firewall policy. Installer uses subdirectory “tmp” inside installation directory on the firewall machine which is configured in the “installer” tab of the firewall object dialog. If installation directory configured there is /etc/fw (as in the screenshot earlier in this HOWTO), then installer will put files in the directory /etc/fw/tmp when test install option is in effect. You need to create this directory on the firewall before using this installation mode.
• Schedule reboot in… : If this option is on, installer schedules firewall reboot after given time in minutes. This can be used as a measure of last resort to protect against lost of communication with the firewall which may happen if there is an error in the new firewall policy which makes it block ssh access from the management machine. Installer uses command shutdown -r +10min to schedule reboot in 10 min. If installation has been successfull and everything works right, you need to repeat installation with options “test install” and “Schedule reboot” turned off to cancel reboot and install new policy permanently.

After all parameters are set and the password entered, hit “OK” to start installation.

If this is the first time your management machine is logging in to the firewall via ssh, it will find out that ssh host key of the firewall is unknown to it and will present you with a dialog:

Here is says that it does not know host key of the firewall “crash”. This is nothing more than a copy of the warning message presented by the ssh client. You should verify the host key manually and if it matches, click “Yes”. If you click “No” in the dialog, installation process will be interrupted.

Installer only recognizes ssh client warning message about unknown public host keys. If you rebuld your firewall machine, which means its host key changes, ssh will print different warning message which fwbuilder installer does not recognise. In this case you will see this message in the installer progress window, but installation process will get stuck. You need to use ssh client (ssh on Unix or putty.exe on Windows) to update host key before you can use fwbuilder policy installer with this firewall again.

After this, installer copies files to the firewall and runs policy script there. You can monitor its progress in the dialog as shown on the screenshot:

This is an example of successfull installation session. Installer records the status in the left hand side panel of the dialog. If you use installer to update several firewall machines in one session, their names and corresponding status of the installation session for each will be shown in the panel on the left. You can save installer log to a file using “Sabe log to file” button, this can be useful for documentation or troubleshooting.

Running built-in installer to copy generated firewall policy to Cisco router or ASA (PIX)

From the user’s point of view the installer works the same when you manage Cisco router or ASA firewall, with only few minor differences. First of all, the first screen of the installer, where you enter the password, offers another input field for the enable password as well.

You should be able to use IPv6 address to communicate with the router.

Most of the options and parameters in this dialog are the same as those for Linux firewalls (see above). The following parameters work differently for Cisco devices:

• Test run: if this checkbox is on, policy installer will copy new access lists configuration to the router or ASA appliance but will not issue write mem command in the end.
• Schedule reboot in… : If this option is on, installer issues command reload in NNN after new configuration has been loaded. This schedules reboot in NNN minutes. In combination with “test run” option this can serve as a roll-back mechanism in case of complete loss of contact with the router or firewall because of an error in the policy. Since “test run” does not perform “write mem” in the end, the original access list stays in startup configuration of the router and will be loaded after reboot.
• Cancel reboot if policy activation was successful: If this option is on, installer issues command reload cancel in the end of the policy activation process to cancel previously scheduled reboot.

Here is a screenshot of installation session to a Cisco router. Note the output at the very top of the log that shows how installer detected previously unknown RSA host key and accepted it after the user clicked “Yes” in the pop-up dialog (not shown on the screenshot). It then logged into the router; you can see the banner motd output from the router. After this, installer switched to enable mode, set terminal width and turned off terminal pagination using terminal length 0 command and finally switched to the configuration mode. It then started enterig generated configuration line by line.

The final part of the installation session looks like this:

This was a successful installation session, with no errors. Installer finished entering configuration lines and issued exit command to exit configuration mode, then wr mem command to save configuration to memory and finally exit again to log out.

More information on Firewall Builder, pre-built binary packages and source code, documentation and Firewall Builder Cookbook can be found on the project web site at www.fwbuilder.org. Watch Project Blog for announcements and articles on all aspects of using Firewall Builder.

This article demonstrates how you can import existing iptables or Cisco router configuration into Firewall Builder.

There are two ways to activate the feature: Main menu “File/Import Policy” or “Tools/Discovery Druid” and then choose option “Import configuration of a firewall or a router“. Only import of iptables and Cisco IOS access lists is possible in the current version.

Importing existing iptables configuration

iptables config that the program can import is in the format of iptables-save. Script “iptables-save” is part of the standard iptables install and should be present on all Linux distribution. Usually this script is installed in /sbin/ . When you run this script, it dumps current iptables configuration to stdout. It reads iptables rules directly form the kernel rather than from some file, so what it dumps is what is really working right now. To import this into fwbuilder run the script to save configuration to a file

iptables-save > iptables_config.conf

Then launch fwbuilder, activate “Import Policy” function and use “Browse” button in the dialog to find file iptables_config.conf. You also need to choose “iptables” in the drop-down menu “Platform“.

If you do not choose iptables in the “Platform“, the program will try to interpret the file using different parser and will fail. The program does not make any assumptions about the file name or extension and can not predict automatically what platform is the configuration being imported is for.

Importing iptables configuration created in FireStarter

The following example demonstrates import of iptables policy generated by Firestarter, another popular iptables configuration management program.

After the platform is selected and file name entered, click “Next” to start the process.

The program tries to interpret configuration file rule-by-rule and recreates its equivalent in fwbuilder. The progress window displays errors, if any, as well as some diagnostics that shows network and service objects created in the process. Note that user-defined iptables chains found in the configuration file will be re-created in fwbuilder as policy rule sets. The screenshot shows rulesets “LSI”, “LSO”, “OUTBOUND” being created. There were more but they did not fit in the output window. Address objects “h-10.3.14.10″, “h-10.3.14.255″ and few others have been created as well. Service objects “tcp fsra/s”, “udp 0-0:0-0″, “icmp -1/-1″ and few others have also been created.

Note that the new firewall object created in the process has generic name “New Firewall”. This is because iptables configuration file used for import does not have information about firewall machine name. It also does not have information about its interfaces, their names and addresses. The program can infer their names when it encounters “-i <interface>” or “-o <interface>” clause in the iptables configuration lines. It can not reliably detect their addresses though. You need to rename firewall object and add ip addresses to interfaces after the import manually.

Note also that only ipv4 part of the iptables configuration was imported. Currently, import of ipv6 iptables configuration is not supported.

Screenshot above demonstrates rule sets that the program created from the configuration it imported. Rule sets “INBOUND”, “LOG_FILTER”, “LSI”, “LSO”, “OUTBOUND”, “Policy” are all of the type “Policy” and contain filtering rules. There were no NAT rules in the original configuration so the rule set “NAT” is created but is empty. Names of all policy rule sets match names of the iptables chains in the original configuration.

screenshots above demonstrate address and service objects created by the program. It writes a comment in each object to remind that it was created automatically on import. Names of these objects are chosen automatically, you can rename objects to give them more meaningful names. Some of the objects created during import have the same properties as existing service and address objects from the Standard objects library. Currently the program does not cross-match them and just creates new objects, however in the future it may use standard objects instead.

Some rules in the original iptables config used “–tcp-flags” parameter to match only certain combinations of tcp flags. Here is an example:

-A INPUT -s 10.3.14.10 -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

In order to be able to reproduce this rule, fwbuilder created special TCP service object with given combination of tcp mask and flags:

The following screenshot demonstrates rules created in the main Policy rule set. These are the top iptables rules, some of them branch off to the other Policy rule sets. Some of the rules in the original policy did not match state (did not have clause “-m state –state NEW” or similar), these rules were created with the flag “stateless” turned on. In fwbuilder, this makes policy compiler generate iptables commands without “-m state –state NEW” clause which matches the original. These rules are marked with an icon that represents non-default rule options in the column “Options”.

Lets inspect one group of rules little closer. The original iptables file contained the following commands:

-A INPUT -i eth0 -j INBOUND

-A INBOUND -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -s 10.3.14.0/255.255.255.0 -j ACCEPT
-A INBOUND -s 10.3.14.0/255.255.255.0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INBOUND -s 10.3.14.0/255.255.255.0 -p udp -m udp –dport 22 -j ACCEPT
-A INBOUND -j LSI

The first rule is in chain INPUT and was recreated as rule #11 in the Policy rule set (rule colored green). Since it was in INPUT, the destination object in the rule #11 is the firewall itself. The “-i eth0″ clause translated into interface object “eth0″ in the “Interface” rule element and direction “Inbound”. The action of the rule #11 is “Branch”, pointing to the rule set “INBOUND”. This is direct recreation of the original rule in itpables config.

This screenshot demonstrates rules created in the rule set “INBOUND”. Rule #0 matches CustomService object “custo-0-tcp” that was created to match combination of protocol “tcp” and state “RELATED,ESTABLISHED”. This object is shown in the following screenshot:

Fwbuilder automatically adds a rule on top of generated iptables script to match packets in states “ESTABLISHED, RELATED”. With that rule, it is not necessary to have a rule like #0 in INBOUND, but since original script had it, fwbuilder reproduced it.

rule #1 in INBOUND matches protocol udp and state “ESTABLISHED,RELATED”. Other rules in INBOUND reproduce original rules from the chain INBOUND and match packets coming from the local net heading for the firewall machine. It is easy to see that the original policy was redundant: rules #2-4 match the same source and destination addresses but different services, but rule #2 matches any service which means rules #3 and 4 will never match any packets. Fwbuilder will detect this problem automatically if you try to compile this policy (this is called “Rule shadowing”).

All packets not matched by any rule in INBOUND will match last rule in this rule set which branches to the rule set LSI. Rule set LSI logs various packets and drops them:

The first thing about rules in this rule set that catches the eye is why do we have all these rules with action “Continue”.

When a rule is marked as “logging” in fwbuilder, it gets an icon in the column “Options” that represents log, this icon appears either by itself or next to the icon that represents non-default rule options. However, iptables does not allow for an action “Accept” or “Deny” to be used in combination with logging, in iptables logging is separate target just like “ACCEPT” or “DROP”. Because of that, fwbuilder splits a rule that has action “Accept” or “Deny” or any other with logging turned on. One such rule becomes two or more iptables rules in the generated script. Unfortunately when iptables script is imported back, the program can not merge such rules and logging rules appear in the rule set as separate rules with logging icon in the “Options” column and action “Continue”. This is a valid configuration in fwbuilder, it just means that the rule generates log record but does not make any decision whether the packet should be accepted or denied and the firewall should continue its inspection.

Here is the fragment of the original iptables rules in the chain LSI:

-A LSI -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN
-m limit –limit 1/sec -j LOG –log-prefix “Inbound ” –log-level 6
-A LSI -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j DROP

These rules become rules #1 and 2 in rule set LSI in fwbuilder. The first rule, the one that does logging, becomes a separate rule because this is how it is done in iptables. If this policy was created in fwbuilder, rules #1 and 2 would be just one rule in the GUI. Double-clicking in the column “Options” in rule #1 opens dialog where you can inspect and edit its options. Tab “Limit” of this dialog controls parameters iptables “limit” module which was used in the original rule. Screenshot below demonstrates how policy importer recognized these parameters and reproduced them in the rule options:

Limitations

iptables policy importer in fwbuilder has its limitations. Main limitation is that it can only parse certain set of iptables modules and targets. There are too many modules and associated targets out there and supporting all of them is next to impossible. However, it supports the core functionality and most popular modules. Even though importer tries to be as close to the original configuration as possible, you should always review rules and objects it creates and edit resultant rules. Most of the time rules can be simplified, such as with logging rules as was explained above. Often you can merge multiple rules by putting several objects in source or destination or service. Using object and service groups is another good way to simplify rules.

Importing Cisco IOS access lists configuration

Importing IOS access lists configuration is more straightforward because branching is not possible there. To import configuration, first you need to save it using “show run” command. IOS has literary hundreds of different commands and configuration clauses, but fwbuilder can only parse those related to the access lists configuration. Other commands will be ignored. There is no need to edit configuration prior to importing it into fwbuilder (except for the “banner” command, see below). Saved IOS configuration has information about router name and its interfaces, this information will be used to recreate objects in fwbuilder. Parser will not only create interface objects with proper names, it will also attach address objects to them to describe their ip addresses.

Just like with iptables, we start with main menu “File/Import Policy” and enter file name in the dialog. The “Platform” drop-down list should be set to “Cisco IOS“. Click “Next” to start import process.

The program recognized router name “c3620″ and its interfaces, created interface objects with their ip addresses and then created some address and service objects. My test router config contains the following lines (this is just a fragment, there are more interfaces and more ACLs):

interface FastEthernet0/0
ip address 192.168.100.100 255.255.255.0 secondary
ip address 10.3.14.201 255.255.255.0
ip access-group fe0_0_acl_in in
ip access-group fe0_0_acl_out out
no ip mroute-cache
duplex auto
speed auto
!
interface Ethernet1/0
description Test [test] {test} (and one more test) /weird:characters#$%^&*/
ip address 192.168.171.2 255.255.255.0
ip access-group e1_0_acl_in in
ip access-group e1_0_acl_out out
no ip mroute-cache
ip ospf cost 65000
half-duplex
crypto map real

!###################################################
ip access-list extended e1_0_acl_in
deny ip any any fragments
permit tcp host 10.3.14.40 host 192.168.171.2 eq 22 log
permit tcp host 10.3.14.40 host 10.3.14.201 eq 22 log
permit ip any 10.3.14.0 0.0.0.255 log
deny ip any any log
!###################################################
ip access-list extended e1_0_acl_out
permit ip 10.3.14.0 0.0.0.255 any log
deny ip any any log

Parser recognizes comments and skips them, but text from interface descriptions goes into comments in the Interface objects.

Firewall Builder recognizes both named and regular extended access lists. Each separate access list is recreated in fwbuilder in the same main Policy rule set. The program recognizes “ip access-group” commands and puts corresponding interface object in the “Interface” rule element of the rules it creates.

The original configuration used the same access list “133″ with two interfaces:

interface Ethernet1/1
ip address 10.10.10.10 255.255.255.0
no ip mroute-cache
!
! Note – the same access list applied both in and out
ip access-group 133 in
ip access-group 133 out
no shutdown
half-duplex
!
interface Ethernet1/2
ip address 10.10.20.20 255.255.255.0
no ip mroute-cache
!
! Note – the same access list applied both in and out
! the same list is applied to eth 1/1 and eth 1/2
ip access-group 133 in
ip access-group 133 out
no shutdown
half-duplex
!

The program recognizes this and creates object group “intf-acl_133″ with these two interfaces as members:

It then uses this group in the “Interface” element of rules #0, 1 and 2 to reproduce rules from the access list “133″.

Interface configuration commands visible in the config snippets above, such as “half-duplex”, “duplex auto”, “speed auto”, various protocol configuration commands and other commands supported by IOS inside “interface” block are ignored.

Limitations

One IOS configuration construct that fwbuilder can not import is “banner” command. This command is special in that it allows the user to set arbitrary terminator character and then it allows any text up to this character. This creates a problem for fwbuilder parser because the terminator character can be arbitrary. You need to edit and remove banner from the saved configuration file before importing it.

Firewall Builder is packaged with most Linux distributions and is available under “System/Administration” menu.

Accessing Firewall Builder

If it is not there, then it probably needs to be installed on your system. You need to install the package that has supporting the API library libfwbuilder and the package for  fwbuilder that contains the Firewall Builder GUI and policy compilers. Use apt-get or aptitude to find and install them:

# aptitude install libfwbuilder fwbuilder

On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder.

Packages shipping with Ubuntu are always one or two minor revisions behind. If you want to try the latest version, you can use the pre-built binary .deb packages offered on the project’s web site or build from source using our online installation instructions. Pre-built binary packages and source code tar.gz archives can be downloaded from this page.

If the system menu item is not there or you have built the program from source, you can always launch it from the command line by just typing “fwbuilder” on the shell prompt:

$ fwbuilder

The program starts and opens the main window and greeting dialog. The dialog provides links to the project web site where you can find more tutorials, FAQ, Firewall Builder CookBoook and other documentation, as well as a bug tracking system and links to user forums and the mailing list. Clicking on the link in the dialog opens corresponding web page in your web browser. This works the same on all supported OS: Linux, Windows and Mac OS X. You can always open this dialog later using an item in the main menu “Help”.

Firewall Builder startup greeting

Lets create our first firewall object. To do this, we’ll use the object creation menu that appears when you click on the icon in the small toolbar right above the object tree. Choose menu item “New Firewall” from the menu that appears.

Setup new firewall

The program presents a wizard-like dialog that will guide you through the process for creation of the new firewall object. In the first page of the wizard you can enter the name for the new firewall object (here it is “guardian”), its platform (“iptables”) and host OS (“Linux”).

There are two ways a new firewall can be created: you can use one of the preconfigured template firewall objects or create it from scratch. This tutorial demonstrates the first method (using template object). To do this, check checkbox “Use preconfigured template firewall objects”. The template can be taken from the library of template objects that comes with the Firewall Builder package or from a file provided by the user. The latter is useful when the administrator wants to distribute a library of predefined templates to other users in the enterprise. We are using one of the standard templates in this guide and therefore leave the standard template library path and name in the “Template file:” input field. Click “Next” to move on to the next page of the wizard.

Note that the template firewall object comes completely configured, including addresses and netmasks of its interfaces and some basic policy and NAT rules. This configuration is intended as a starting point only. You should reconfigure the addresses of interfaces to match those used on your network; and most likely will have to adjust rules to match your security policy.

Configure firewall template

This page of the wizard shows template objects and their configuration. Standard template objects represent firewalls with two or three interfaces, a host with one interface, web server or Cisco router. Choose firewall with three interfaces for this guide. Note that template comes with completely configured firewall objects, including a set of interfaces and their IP addresses – And some basic firewall policy. You will see how addresses can be changed later on in this guide. Click “Finish” to create a new firewall object using the chosen template.

Firewall objects

Here is our new firewall object. Its name is guardian, it appears in the object tree in the left hand side of the main window in the folder Firewalls. When an object is selected in the tree, a brief summary of its properties appears in the panel under the tree. Double-clicking on the object in the tree opens it in the editor panel at the bottom of the right hand side panel of the main window. The editor for the firewall object allows the user to change its name, platform and host OS and also provides buttons that open dialogs for “advanced” settings for the firewall platform and host OS. We will inspect these a little later in this tutorial.

You can always resize the main window to make all columns of the policy view more visible.

Guardian/Policy view

Now would be a good time to save the data to a disk file. This is done in a usual way using main menu File/Save As.

Lets take a little tour of the network and service objects that come standard with the program. You can use these preconfigured objects to build policy and NAT rules for your firewall.

Objects in the tree are orginized in libraries, you can switch between libraries using the interfaces’ drop-down menu above the tree. Firewall Builder comes with a collection of address, network, service and time interval objects in the library called “Standard”. Lets take a look at them. Notice that the background color of the panel that shows objects tree depends on the chosen object library. This makes it easier to keep track of the library currently opened in the program.

The libraries

Folder Objects/Hosts contains few host objects used in standard firewall templates. Folder Objects/Network contains network objects that represent various standard address ranges and blocks, such as multicast, net 127/8, networks defined in RFC1918 and so on.

Network objects

Firewall Builder also comes with extensive collection of TCP, UDP and ICMP service objects that describe commonly used protocols. This image shows some TCP objects (all of them do not fit in the screenshot).

TCP (protocol) objects

Here is an example of a simple TCP service. It defines source and destination port ranges (in this case source port range is not defined and there is only one destination port 80). TCP service object can also define any combination of TCP flags the firewall should inspect and also which ones of them should be set in order for a packet to match this object. In the case of the service “http” we do not need to define any flags.

TCP service

Now lets take a look at the objects created as part of the new firewall object guardian. In order to do this, switch to the library User where this object was created. To open an object in the editor panel to inspect or change it, double click on it in the tree. Also, if you click on an object in the policy rule to select it, it will automatically open in the tree on the left.

Object Guardian in user library

First, the firewall object itself.

Every object in fwbuilder has basic attributes such as its name and comment. Other attributes depend on the object type.

Attributes of the firewall object include platform (can be iptables, pf, ipfilter, etc.), version (platform-depended) and host OS. Buttons Host OS Settings and Firewall Settings open dialogs with many additional attributes that depend on the firewall platform and host OS. More on these later.

Object attributes

Here are the choices for the firewall platform, version (for iptables) and host OS.

Platform choices for the firewall

Interfaces of the firewall are represented by objects located below the Firewall object in the tree. We refer to them as “children” of the firewall object. This image demonstrates properties of the interface eth0. To open it in the editor double click on it in the tree. If editor panel is already open and shows some object, it is sufficient to select new object in the tree to reveal it in the editor panel (no need to double click).

IP and MAC addresses of interfaces are represented by child objects in the tree located below corresponding interface.

Firewall interfaces

Interface object has several attributes that define its function, such as “Management interface”, “external” etc.

• Name: the name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like “eth0″, “eth1″, “en0″, “br0″ and so on.
• Label: On most OS this field is not used and serves the purpose of a descriptive label. Firewall Builder GUI uses a label, if it is not blank, to show interfaces in the tree. One of the suggested uses for this field is to mark interfaces to reflect the network topology (’outside’, ’inside’) or the purpose (’web frontend’ or ’backup subnet’). The label is mandatory for Cisco PIX though, where it must reflect the network topology.
• “Management interface”: Sometimes the host has several network interfaces in which case one of them can be marked as the ’manaagement interface’. The management interface is used for all communication between Firewall Builder and the host.
• “External interface (insecure)”: marks an interface that connects to the Internet.
• “Unprotected interface”: marks interface to which fwbuilder should not assign any access lists (used only with Cisco IOS platform)
• “Regular Interface”: Use this option if the interface has an IP address assigned to it manually.
• “Address is assigned dynamically”: Use this option if the interface has a dynamic address (obtained by means of DHCP or PPP or another protocol); in this case an address is unknown at the moment when Firewall Builder generates the firewall policy.
• “Unnumbered interface”: Use this option if the interface can never have an IP address, such as the ethernet interface used to run PPPoE communication on some ADSL connections, tunnel endpoint interface, or an interface on a bridging firewall. See below Section 5.3.1 for more detailed discussion of these different types of interfaces.
• “Bridge port”: this option is used for port of bridged firewall.
• “Security level”: security level of this interface, used only with Cisco PIX (ASA)
• “Network zone”: network zone of this interface, used only with Cisco PIX (ASA). Network zone drop-down list shows all network obejcts and groups of addresses and networks present in the tree. Choose one of them to tell the compiler which networks and blocks of addresses can be reached through this interface. Compiler uses this information to decide which interface each ACL rule should be associated with based on the addresses used in the destination of the rule.

View interface

Here is IP address of interface eth0, external interface of the firewall. The address and netmask are attributes of the child object of the type “IPv4 address”. Here the address is “192.0.2.1″ and netmask “255.255.255.0″. Button “DNS Lookup” can be used to determine IP address using DNS. The program runs DNS query for the “A” record for the name of the parent firewall object.

IP address of interface eth0

Lets look at the IP address of the internal interface of the firewall. The address used in the template is “192.168.1.1″ with netmask “255.255.255.0″. This is rather typical address used for small and home networks. Some commercial firewall appliances come preconfigured with this address.

IP addresses of internal interfaces

If address 192.168.1.0/24 matches address of your local network, you can skip this part of the guide and move to the page 4. Otherwise, you need to reconfigure the address of the internal interface of the firewall object that you just created in fwbuilder and also change address object used in the policy rules. Start with changing address attribute (and possibly netmask, if necessary) of the object guardian:eth1:ip as shown in the screenshot:

Change IP address

Now we need to change IP address used in the rules. To do this, we create new Network object with correct address and replace object net-192.168.1.0 in all rules with this new network object.

Use new object menu to create Network object.

Create new network object

New Network object is created with default name ‘New Network’ and IP address 0.0.0.0.

Default network created

Edit object name and address, then hit “Apply”.

Editing network object

Use menu Object / Find to activate search and replace dialog. The Find and Replace dialog opens at the bottom of the right hand side panel in the main window, below the policy rules view.

Searching for objects

Locate object object net-192.168.1.0 in any policy rule where it is used or in its location in the tree in library Standard and drag and drop it to the left object well in the search and replace dialog as shown on the screenshot:

Drag and drop object

Change the scope setting to “Policy of all firewalls”. If you have many firewalls in the tree, use scope “policy of the opened firewall” instead. Locate new Network object you just created in the tree and drag and drop it to the right object well in the search and replace dialog as shown on the screenshot:

Changing scope of all policies

Now hit “Replace all” button. Pop-up dialog should appear and report how many replacements the program had to make in all rules of the firewall. Note that the replacement is done not only in the policy rules, but in NAT rules as well.

Replace all button results

Now that you have created a new object and replaced old network object with new one in all rules, do not forget to save data to a file using menu File/Save

Lets inspect properties of the firewall object. Double click on the firewall “guardian” in the tree to open it in the editor panel, then click “Firewall Settings” button in the editor. This opens new dialog that looks like this. Notice button “Help” in this dialog, clicking this button opens help as shown on the image below.

IP tables advanced settings

Online help explains all attributes and paramaters located in each tab of the firewall settings dialog. I enourage you to explore it as many parameters are important and affect generated iptables script in different ways.

Next few screenshots show other tabs of the firewall settings dialog. You can find detailed explanations of all parameters in the online help.

Detailed explanation screen

This page defines various parameters for the built-in policy installer. Installer uses ssh client (pscp.exe and plink.exe on Windows) to transfer generated script to the firewall machine and activate it there.

Policy installer, script generator

User can define shell commands that will be included in the generated script at the beginning and in the end of it. These commands can do anything you want, such as configure some subsystems, set up routing etc.

Include shell command in script generator

Parameters for logging.

Logging parameter settings

More options for the script generation. Notice that fwbuilder can produce iptables script in two formats: 1) as a shell script that calls iptables utility to add each rule one by one, or 2) it can use iptables-restore script to activate the whole policy at once. Other parameters are explained in the online help.

Further script generation options

Starting with v3.0 Firewall Builder can generate both IPv4 and IPv6 policy. This tab controls the order in which they are added to the script if user defined rules for both address families in the Policy objects of the firewall.

IPv4 and IPv6 support

Lets take a look at the policy of the template firewall. These rules are intended to be an example, a starting point to help you create your own policy quicker. Most likely you will want to modify them to suite your requirements. Explanation of the rules given here is rather brief because the goal of this guide was only to demonstrate how to use Firewall Builder.

• Rule 0: this is an anti-spoofing rule. It block incoming packets with source address that matches addresses of the firewall or internal or DMZ networks. The rule is associated with outside interface and has direction set to “Inbound”.
• Rule 1: this rule permits any packets on loopback interface. This is necessary because many services on the firewall machine communicate back to the same machine via loopback.
• Rule 2: permit ssh access from internal network to the firewall machine. Notice service object “ssh” in the column “Service”. This object can be found in the Standard objects library, folder Services/TCP.

Policy rules template

Policy rules belong to the object “Policy”, which is a child object of the firewall and can be found in the tree right below it. As any other object in Firewall Builder, Policy object has some attributes that you can edit if you double click on it in the tree.

• Policy can be either IPv4, or IPv4 or combined IPv4 and IPv6. In the latter case you can use a mix of IPv4 and IPv6 addess objects in the same policy (in different rules) and Firewall Builder will automatically figure out which one is which and will sort them out.
• Policy can translate to only mangle table, or a combination of filter and mangle tables. Again, in the latter case policy compiler decides which table to use based on the rule action and service object. Some actions, such as “Tag” (translates into iptables target MARK) go into mangle table.
• “Top ruleset” means that compiler will place generated iptables rules into built-in chains INPUT/OUTPUT/FORWARD. If policy is not marked as “top ruleset”, generated rules will go into user-defined chain with the name the same as the name of the policy object.

Policy rules set

Here are preconfigured NAT rules.

• Rule 0: tells the firewall that no address translation should be done for packets coming from network 192.168.2.0 going to 192.168.1.0 (because Translated Source, Translated Destination and Translated Service are left empty)
• Rule 1: packets coming to the firewall from internal and DMZ networks should be translated so that source address will change and become that of the outside interface of the firewall.
• Rule 2: packets coming from the Internet to the interface “outside” will be translated and forwarded to the internal server on DMZ represented by the host object “server on dmz”.

Preconfigured NAT rules

Now we should be ready to compile policy of the firewall guardian and generate iptables script. To do this, select firewall in the tree and click right mouse button. Choose item “Compile” in the pop-up menu. The dialog that appears lists all firewall objects defined in the objects tree and lets you select which ones should be compiled. The firewall guardian has just been created and has never been compiled and dialog shows that. Make sure checkbox next to the firewall object guardian is checked and click button “Next”.

Select firewalls for compilation

Firewall Builder calls policy compiler (which is by the way an external program which can be used on the command line). The next page of the dialog shows compiler progress and result.

Compiler progress

Compiler generates iptables script in the file with the name the same as the name of the firewall object, with extension “.fw”. The file is placed in the same directory where the data file .fwb is located.

$ ls -la test2.fwb guardian.fw
-rwxr-xr-x 1 vadim vadim 11253 2009-02-16 16:41 guardian.fw
-rw-r--r-- 1 vadim vadim 24696 2009-02-16 16:41 test2.fwb

Here is how generated script looks like. This is just a fragment from the middle to show some generated iptables commands.

# ================ IPv4

# ================ Table ‘filter’, automatic rules
$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test “X$c” = “XChain” ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done

$IPTABLES -A INPUT   -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# ================ Table ‘nat’,  rule set NAT
# NAT compiler errors and warnings:
#
#
# Rule 0 (NAT)
#
echo “Rule 0 (NAT)”
#
# no need to translate
# between DMZ and
# internal net
$IPTABLES -t nat -A POSTROUTING   -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT
$IPTABLES -t nat -A PREROUTING   -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT
#

Now you can transfer it to the firewall and execute it there to install iptables rules. However it is much more convenient to use built-in policy installer to do this. To use installer, click right mouse button on the firewall object in the tree and use menu item Install. Firewall Builder will compile the policy if necessary and then open dialog where you can configure parameters of the installer. Here you need to enter password to authenticate to the firewall. Once you click OK, installer will connect to the firewall using ssh client. First, it will copy generated script to the directory /etc on the firewall (or different one, if configured in the Installer tab of firewall settings dialog), then it will run this script and check for errors. Its progress will be visible in the panel of the installer wizard, just like the progress of policy compiler.

Install options for firewall 'guardian'

This guide walked you step by step through the process of creating of a firewall object, making some minor changes in its parameters and policy rules, compiling the policy and activating it on the firewall machine. This guide did not touch advanced topics such as built-in revision control system, working with multiple data files, working with multiple firewall objects, IPv6. You can find documentation and guides on these topics and more on our project web site at http://www.fwbuilder.org.

“A CD-ROM that contains a working copy of an operating system or other application that is run without installing it. Used for demonstration and evaluation as well as system recovery, the software runs intact from the CD.” Source: http://dictionary.zdnet.com/definition/LiveCD.html

While I was fast to mention and provide the LiveCD for Ubuntu Linux, I was asked if there are other versions of Linux or Linux based applications that offer down loadable LiveCD’s and what the primary function (of the CD) focused upon. Well, I’m by no means the know-all expert of Linux and its LiveCD distributions, I was however, able to find almost 300 and have done my best to put them in alphabetical order with a brief blurb.

Hopefully this will provide an initial list from which to jump off and explore different versions. It was a lot of work to put this together, but it was worthwhile and fun!
Some of the distributions are in other languages so I translated what I could into English (so please forgive any grammar mistakes). :) Additionally, I’ve found that several of the CD’s could be placed in more than one category, but to save constant repeats, I’ve tried to keep them in their primary focused category. I also included a couple BSD mentions or so. ;)

If you have (or are aware) of a LiveCD we’ve not included below and you want included, please feel free to comment (below) or contact us.

You might want to book mark this list and revisit it later. ;)
Enjoy…

Clustering LiveCD

Providing tools for creating cluster server environments.

Bootable Cluster CD
http://bccd.cs.uni.edu/

For clustering. From their site: The BCCD was created to facilitate instruction of parallel computing aspects and paradigms. Part of the difficulty instructors face is lack of dedicated resources to explore distributed computing aspects lack of time to preconfigure and test the supporting environment. The BCCD image addresses this problem by providing a non-destructive overlay way to run a full-fledged parallel computing environment on just about any workstation-class system…

Clusterix
http://clusterix.livecd.net/

Clusterix is a modular, live-cd Linux distro based off of Morphix, Knoppix, and Debian GNU/Linux. This means all you need to do is download the .iso, burn it to a cd, and reboot your computer. Clusterix will automatically start to boot without using your hard drive in anyway. Used for clustering.

ClusterKnoppix
http://clusterknoppix.sw.be/

Used for clustering: ClusterKnoppix is a modified Knoppix distro using the OpenMosix kernel.

dyne:bolic
http://www.dynebolic.org/

A practical tool for multimedia production: you can manipulate and broadcast both sound and video with tools to record, edit, encode and stream, having automatically recognized most device and peripherals: audio, video, TV, network cards, firewire, usb and more; all using only free software!

You can employ this operating system without the need to install anything, and if you want to run it from hard disk you just need to copy a directory: the easiest installation ever seen!

It is optimized to run on slower computers, turning them into full media stations: the minimum you need is a pentium1 or k5 PC 64Mb RAM and IDE CD-ROM, or a modded XBOX game console – and if you have more than one, you can easily do clusters.

ParallelKnoppix
http://pareto.uab.es/mcreel/ParallelKnoppix/

ParallelKnoppix (PK) is a fast and easy way to create a HPC cluster for parallel computing. It is designed to be easy to use for people new to parallel computing, but it is also suitable for serious work.

PK is normally used as a “live CD”, but it can also be used very productively from your usual operating system, through virtualization. The PK master node can be booted in a virtual machine, then you can network boot other computers to make a real (nonvirtual) Linux cluster in minutes. The cluster is ad hoc, it does not install anything to any of the computers it runs on. This way, when you shut down the cluster, the machines are in their original state.

Desktop LiveCD

For desktop environments.

3Anoppix
http://tavi.debian.org.tw/index.php?page=3Anoppix

Primary focus is an easy to install desktop system and is a Chinese localization of Knoppix

ABC Linux
http://www.abclinuxu.cz

A localized desktop version for Czech.

Adios
http://linux.softpedia.com/get/System/Operating-Systems/Linux-Distributions/ADIOS4-21188.shtml

A desktop version that has support for UML (User Mode Linux) virtual machines which can run LIDS (Linux Intrusion Detection System) or SELinux (NSA Security Enhanced Linux).

The ADIOS live CD uses a compressed loopback filesystem and can also start with LIDS enabled. It is a custom installation of Fedora 3.0 running kernel 2.6.10 and supports X11 windows desktop environments of KDE and IceWM.

AliXe
http://alixe.org/

A Québécoise desktop version of Linux. It consists of a customized version of the live CD SLAX, (itself based on the Linux Slackware distribution). AliXe is a bootable CD-Rom. When introduced in the CD drive of your computer, it will mount a Linux system so you can try, all without altering the content of this disc in your machine.

Ankur
http://www.bengalinux.org/new/

A desktop version providing support for the Bangla(Bengali) language on GNU/Linux operating system.

Antemium
http://www.antesis.org/index.php?lang=en

A desktop version for old PC’s (ANTEMIUM PC Agé) is the light version of Antemium. It is designed to work on old computers, (but not too old), work begins with Pentium that have 64MB of RAM. It is reported to have been working with less RAM, but they don’t guarantee anything.

The liveCD takes it’s linux kernel from the latest Knoppix; with the launching scripts. Everything else is a custom Slackware on a liveCD! The latest Knoppix introduce UNIONFS, a system to allow compressed read-only data on the CD to be merged with a portion of the RAM. It allow to modify anything on the liveCD, changes are saved on RAM. The CD gains in memory usage, flexibility, and power. It is also possible to install new software on the liveCD ! But beware of RAM shortages ;)

aquamorph
http://aquariusoft.org/page/main/

A desktop version based on Morphix’ Lightgui, aquamorph is a complete, up-to-date environment, in which the user can comfortably browse, program and generally just do his work, while not having to worry about configuring and installing things. It features programs like Mozilla’s Firefox browser and Thunderbird e-mail client, X-Chat for IRC chatting, Gaim version 2 for Instant Messaging, Abiword and Gnumeric for doing office work, Wireshark [formerly Ethereal] for doing forensic research, Graveman for burning CDs/DVDs etc. It also packages some nice fonts and audio/video codecs.

Arabbix
http://www.arabeyes.org/

An arabic based desktop version. This project is tasked with bringing forth a fully Arabized Live-CD distribution. This version appears to still be in Beta.

Archie
http://user-contributions.org/archie.html

A desktop version (also in beta). A complete live Arch linux system (v0.7) to be run from a cd/usb, built with the KISS philosophy in mind. No packages have been stripped to provide a full Arch linux system, yet deliver fastest performance with no extensive bloating. Archie uses its own hw-detection tool (lshwd) ideally to support a wide range of hardware with low detection time. Archie also provides extended features like multi-lingual, nesting capabilities and hd-install.

Augustux
http://www.zaralinux.org/proy/augustux/

A Spanish version that (as stated on their web site) is: “The Linux made by the world for Aragon. Augustux is a set of programs with free licenses that run from CD and who has been given a touch “Aragonese”.

There are lot of tools: word processor, spreadsheet, email clients or web browser for the Internet. To use Augustux there is no need to install anything on a hard drive, but boots directly from the CD-ROM.

Simply put the CD into the drive and boot the computer.

Austrumi
http://cyti.latgola.lv/ruuni/

A regional desktop CD. AUSTRUMI (Austrum Latvijas Linukss) is a business card size (the current release size is 65 MB) bootable live CD Linux distribution. It is based on Slackware Linux. It was created and is currently being maintained by a group of programmers from Latgale region of Latvia. The current official release of Austrumi Linux is 1.6.0. It requires limited system resources and can run on any Intel-compatible system with a CD-ROM installed. The entire operating system and all the applications run from RAM, making Austrumi a fast system, and allowing the boot medium to be removed after the operating system starts.

Baltix
http://baltix.akl.lt/english

Baltix is GNU/Linux desktop distribution, based on Debian and Ubuntu for Lithuanian and Latvian people.

Basilisk
http://www.linux4all.de/livecd/basilisk/1.40/index.htm

A desktop version. The livecd images on this site use redhat/fedora rpms, fedora related repositories (eg. atrpms or. freshrpms) as well as non -fedora software of several other open source projects.

These livecd’s use transparent zisofs compression on a container image instead of cloop. This allows the usage of nearly any precompiled kernel but the image container cannot be read or extracted from non-linux systems even if written on cd.

BeatrIX Linux
http://www.softpedia.com/get/UNIX/Distributions/BeatrIX-Linux.shtml

A desktop version that is a less-than-200-MB Debian/Ubuntu Linux that is a live-CD/installable to hard drive distribution featuring kernel 2.6.7, Gnome 2.8.1, Firefox 1.03 w/AdBlock, Evolution 2.01, GAIM 1.03, Open Office 1.1.2, Apt, PDF viewer, image viewer, plus much, much more.

BerliOS MiniCD
http://developer.berlios.de/projects/minicd/

A desktop MiniCD is (as the name suggests) a live MiniCD Linux distribution designed to run off 185MB CDs. It features automatic hardware detection, a full desktop (KDE) and is based on Mandrake Linux.

Berry Linux
http://yui.mine.nu/berry/

A desktop version that is a bootable CD, which features automatic hardware detection. It supports many graphics cards, sound cards, SCSI, USB, and other peripherals. If you have network devices, DHCP is auto-configured so you can use the Internet. You can enjoy OpenOffice, the MS Office compatible office suite. The GIMP can be used to edit pictures and is included in Berry Linux. Berry Linux can be used as a Linux demo, Educational CD, or a rescue system. Based on Fedora.

Blin Linux
http://blin.zp.ua/

A desktop to work in the office and at home; that includes Cyrillic support for Russian speaking people. Easy to use, requires no installation works directly from the CD. Provides support for a wide range of modern equipment. Immediately after launch, the user receives a tailored, ready to work in the local network or Internet system with a rich set of license-net programs.

cdlinux.pl
http://www.cdlinux.pl/

A Polish language based LiveCD. Hopefully a Polish speaking person could tell us more about it?

Cool Linux CD
http://emergencycd2.sourceforge.net/

A desktop CD. Cool Linux CD is a bootable CD with Linux operating system, containing a 2.4 kernel and many free software packages.

Damn Small Linux
http://www.damnsmalllinux.org/

Damn Small Linux is a very versatile 50MB mini desktop oriented Linux distribution.

DSL was originally developed as an experiment to see how many usable desktop applications can fit inside a 50MB live CD. It was at first just a personal tool/toy. But over time Damn Small Linux grew into a community project with hundreds of development hours put into refinements including a fully automated remote and local application installation system and a very versatile backup and restore system which may be used with any writable media including a hard drive, a floppy drive, or a USB device.

Feather Linux
http://featherlinux.berlios.de/

Feather Linux is a Linux distribution which runs completely off a CD or a USB pendrive and takes up under 128Mb of space. It is a Knoppix remaster (based on Debian), and tries to include software which most people would use every day on their desktop.

Flash Linux
http://www.flashlinux.org.uk/

It’s a FREE (GPL-2) customized Linux distribution initially designed to be run directly off a 256Mb USB key or other (similar) forms of bootable flash memory. It has subsequently (also) become a Linux distribution that runs directly from a CDROM, typically known as a Live-CD.

Gentoo
http://www.gentoo.org/

A special flavor of Linux that can be automatically optimized and customized for just about any application or need. Extreme performance, configurability and a top-notch user and developer community.

Gnoppix
http://www.gnoppix.org/

Gnoppix is a linux live cd based upon Debian GNU/Linux 3.0 (woody). It can be compared to Knoppix but GNOPPIX uses GNOME as desktop environment.

GoblinX
http://www.goblinx.com.br/en/index_home.htm

GoblinX is a Live-CD that is based on the excellent Slackware, developed and maintained by Flavio de Oliveira a.k.a Grobsch and created by using Linuxlive scripts.

It is directed towards those users whose appreciate quality applications and a workspace that is both practical and beautiful. It contains some of the most often used and praised applications for Linux, a completely operational Linux system inside a single CDROM, runs from any CDROM drive without requiring an installation and can be easily customized by anyone. It also can be used inside a Pendrive or other bootable device.

GoboLinux
http://www.gobolinux.org/

GoboLinux is a modular Linux distribution: it organizes the programs in your system in a new, logical way. Instead of having parts of a program thrown at /usr/bin, other parts at /etc and yet more parts thrown at /usr/share/something/or/another, each program gets its own directory tree, keeping them all neatly separated and allowing you to see everything that’s installed in the system and which files belong to which programs in a simple and obvious way.

Kaboot
http://www.kaboot.ainkaboot.co.uk/

Kaboot Linux Operating system aims to provide an operating system which you can take anywhere and has all your favourite programs on. Available as a Live CD or Live USB you can take with you anywhere.

A number of different versions are available, two optimized for size or speed, one for functionality, and one science based. All containing a host of useful programs able to boot virtually any computer (meeting the minimum requirements) from CD and USB.

Kaella
http://kaella.linux-azur.org/

Kaella is a (French) Linux distribution that will fit on a CD and it works without having to install on the hard drive of your PC. It is a complete operating system, provided with all the necessary software for PC use: Internet browser, mail, office suite, media players (images, photos, sounds, videos), games …

Kaella is based on the Knoppix distribution: Some software was deleted, others have been added.

Kanotix
http://kanotix.com/index.php?&newlang=eng

Kanotix is a rock-solid Linux based on Debian, which contains the newest packages and recognizes more modern hardware than any other operating system in use today.

Kanotix is assembled for 32 Bit i586 and for AMD 64 using the most up-to-date kernel with unique patches.

Kanotix will run as a LIVE-CD on practically any computer — automatically detecting and configuring virtually any piece of hardware. It is ideal for analysis, data rescue, forensic work, removal of viruses on Win-PCs – or simply for safe surfing and mailing in an internet cafe. It installs to your hard drive in just a few minutes and is ideal for use on your desktop workstation or notebook, or as a server.

KateOS
http://www.kateos.org/?lang=en

KateOS is a free (as in freedom) multitasking operating system targeted toward intermediate Unix users. It combines the most popular Open Source software with its own original solutions. KateOS has a simple yet fully functional and fully-featured TGZex package system which makes system administration and updating a breeze. KateOS also has a set of text-mode and graphical tools for system configuration, user-friendly text-mode and graphical installation systems, a unified PAM authorization system, and many more solutions which make system maintenance a lot easier while preserving the classical Unix structure of the system. The main foci of KateOS are efficiency, security, reliability, and low system requirements. Support for common multimedia is also included.

Knoppix
http://www.knopper.net/knoppix/index-en.html

KNOPPIX is a bootable Live system on CD or DVD, consisting of a representative collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a productive Linux system for the desktop, educational CD, rescue system, or adapted and used as a platform for commercial software product demos. It is not necessary to install anything on a hard disk. Due to on-the-fly decompression, the CD can have up to 2GB of executable software installed on it (over 8GB on the DVD “Maxi” edition).

Kubuntu
http://kubuntu.org/

Kubuntu is a user friendly operating system based on KDE, the K Desktop Environment. With a predictable 6 month release cycle and part of the Ubuntu project, Kubuntu is the GNU/Linux distribution for everyone.

LG3D LiveCD
https://lg3d-livecd.dev.java.net/Web-Site/Welcome.html

A 3D livecd that appears to be based upon slax (unconfirmed).

Linux from Scratch
http://www.linuxfromscratch.org/livecd/

The LFS LiveCD is geared specifically toward providing a reliable host system for the purpose of building Linux From Scratch http://www.linuxfromscratch.org/lfs/index.html. Therefore, it may not be what you would envision as a “perfect” Linux system. It should, however, provide you with a comfortable enough environment so that you can, in turn, build your own “perfect” system. Linux From Scratch (LFS) is a project that provides you with step-by-step instructions for building your own customized Linux system entirely from source.

Luit Linux
http://luitlinux.sarovar.org/

Luit Linux is a small bootable live CD distribution based on KNOPPIX and DamnSmall Linux. Mission is to make a small compact live distribution with tools and applications for day to day needs, without compromising on its looks and feel and ease of use.

Mandriva
http://www.mandriva.com/en/product/mandriva-linux-one

Linux. A full Linux operating system on a single CD for both new and experienced Linux users, it is fast to download and install, and also safe to try with a live mode. One is really the one CD you need!

MiniKazit
http://kazit.berlios.de/mini-kazit/

MiniKazit is a live CD image, small enough to fit into a MiniCD (180M). It is based on Morphix, base module version 0.4-1e and Debian Sid.

NetMAX DeskTOP
http://freshmeat.net/projects/netmax/

NetMAX DeskTOP is a Linux-based, Windows applications compatible, intuitive graphical environment that works right out of the box and offers unrivaled compatibility with any personal computer. It is designed to be usable by people who are not computer savvy. It eliminates the problems with viruses, spyware, adware, and bugs that plague the Windows platform. NetMAX DeskTOP also works as a PC repair and recovery system. It boots from CDROM and does not modify the target PC volumes unless directed to do so.

NimbleX
http://nimblex.net/

You can build your own custom OS with a couple of clicks. As easy as it gets! NimbleX is a small but versatile operating system which is able to boot in various fashion, like from a small 8 cm CD but also from flash memory (USB pens, Mp3 players, …), from hard drives and even from the network. Because it runs entirely from a CD, USB or network it doesn’t require installation or even a hard drive. NimbleX is based on Slackware with the use of linux-live scripts and is has a lot of this distribution advantages. One of them is the availability of thousands of free software that can be found in the form of packages. The beauty of it is that even if is small it has a beautiful graphical interface and also a lot of built in software for browsing the internet, writing documents, listening to music, playing movies and many more. You even have basic server functionality.

Onebase Linux
http://www.ibiblio.org/onebase/

The Onebase Project, is a Linux kernel based operating system with its own package management and administration tools.

Parsix
http://www.parsix.org/html/index.php

Parsix GNU/Linux is a live and installation CD derived from KANOTIX and based on Debian. It is a complete GNOME centric desktop oriented distribution. Beside of the dozens supported languages, Parsix GNU/Linux also supports Persian keyboard and users can switch to Persian with Alt+Shift keys. You can install and use Parsix GNU/Linux as your PC’s operating system. We have also included xFarDic multilingual dictionary and Persian free fonts from FPF project.

PCLinuxOS
http://www.pclinuxos.com/

PCLinuxOS is distributed as a LiveCD, and can also be installed to a local hard drive. LiveCD mode lets you try it without making any changes to your computer. If you like it, you can install it to your hard drive. Locally installed versions of PCLinuxOS utilize the Advanced Packaging Tool (or APT), a package management system (originally from the Debian distribution), together with Synaptic, a GUI front end to APT.

PCLinuxOS has a script called mklivecd, which allows the user to take a ‘snapshot’ of their current hard drive installation (all settings, applications, documents, etc.) and compress it into an ISO CD/DVD image. This allows easy backup of a user’s data and also makes it easy to create your own custom live CD/DVD.

Puppy Linux
http://www.puppylinux.com/

Puppy really is small, the live-CD typically being 85MB, yet there really is a complete set of GUI applications. Being so small, Puppy usually loads completely into RAM, which accounts for the incredible speed.

Sabayon
http://www.sabayonlinux.org/

A highly, scalable and community driven Linux distribution. Based on the Gentoo distro.

Shinux
http://shinux.org/

With Shinux you have a complete operating system comes with a suite of software quality standard for computers compatible PC. Shinux aims to enable individuals or professionals to carry the equivalent of their laptop in a medallion, a watch or a simple USB Flash Drive. With Shinux in your pocket you can from PCs to boot your office, your bookmark, preferences, mail, files and carry with you your applications.

sidux
http://sidux.com/

sidux is an operating system based on the Linux kernel, Debian’s most modern branch (called “Sid”) and many free and open source applications.

According to wikipedia sidox “…is a desktop-oriented Linux distribution based on Debian unstable, which uses the codename Sid. The distribution consists of a Live CD (bootable CD-ROM) for i686 or amd64 architecture and can be installed to a hard drive through a graphical installer…” and “…The aim of sidux is to make Debian Sid/unstable usable for average users. Therefore it puts Debian Sid packages together and adds its own programs. sidux’ own repository avoids packages which are currently defective in Debian Sid. The sidux system management program “smxi” also holds sidux fixed packages until a repaired version from Debian appears in Debian Sid…“

SimplyMEPIS
http://www.mepis.org/

SimplyMEPIS as a Live CD or DVD allows you to run the Linux operating system and all the programs from your CD or DVD drive before you install. There is no need to backup all your data, delete the whole hard disk and install the system, just to find it doesn’t meet your needs and expectations.

Insert the SimplyMepis disc in your drive and reboot your computer. Simple menu choices will quickly load SimplyMEPIS Linux allowing you to login. You’ll have a SimplyMEPIS desktop just as it would be when you install it to your hard drive. Test the included software, see if it supports all your hardware, and assure that your internet connection works. You can also use SimplyMEPIS as a recovery CD for troubleshooting computers and providing the tools to save your valuable data.

Slax
http://www.slax.org/

Slax is a modern, portable, small and fast Linux operating system with a modular approach and outstanding design. Despite its small size, Slax provides a wide collection of pre-installed software for daily use, including a well organized graphical user interface and useful recovery tools for system administrators.

The modular approach gives you the ability to include any other software in Slax easily. If you’re missing your favourite text editor, networking tool or game, simply download a module with the software and copy it to Slax, no need to install, no need to configure.

SLYNUX
http://www.slynux.co.nr/

SLYNUX is a user friendly GNU/Linux Operating System for beginners. It can be run completely from CD without installation. There is also options to install to hard disk. The main feature of this operating system is that, any person who is familiar with Microsoft Windows OS can handle this operating system very easily. The desktop of this operating system is arranged so as to make it friendly to the user. Also it has a wide range of application programs which are pre-installed. SLYNUX is a live Linux distribution which includes content of about 2GB made available by using transparent compression. This is a debian based GNU/Linux developed from Knoppix (Credit of most features of this Distro goes to knoppix). This can be used by beginners of Linux OS. SLYNUX makes to familiarize Linux technology. This is also a complete suite Linux OS. This provides all types of needed software.

Stanix
http://stanix.sourceforge.net/

Traditional Chinese support. Stanix provides a simple, stable, Comfortable environment for your desktop without deluxe decorations, easy to use directly, don’t worry about system crashes or infections by viruses.

Stux
http://www.gpstudio.com/stux/

STUX is a bootable CD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals.

STUX 2007 is based on Slackware Linux 11.0 (for packages) and Knoppix 5.0.1 (for kernel, modules, scripts).

Symphony
http://symphonyos.com/cms/

SymphonyOS is a whole new type of Operating System, based on an advanced GNU/Linux base system Symphony provides Linux’s renowned stability and immunity to Windows viruses along with what we consider to be the easiest to use interface out there, our Mezzo Desktop Environment. You can breathe new life into old hardware as all of this is designed to work on much lower end hardware than KDE or Gnome.

T2
http://www.t2-project.org/

T2 started as a community driven fork from the ROCK Linux Project with the aim to create a decentralized development and clean a framework for spin-off projects and customized distributions. Another goal was to provide a more continuous release stream for stable security updates.

With T2 you can define targets for various purposes, ranging from embedded linux systems with a few MB of size over server configurations to a full desktop system featuring X.Org foundation, KDE, Gnome, OpenOffice.Org and many more. Those targets can be compiled for use on the most common architectures: Alpha, ARM, HPPA (incl. HPPA64), IA64, MIPS, PowerPC (incl. PowerPC-64), SPARC (incl. SPARC64), SuperH, x86 (incl. x86-64) – theoretically any GCC/Linux supported one.

T2 comes with many predefined targets (desktop, router, live CD…) and over 2000 package descriptions ready to build.

Tao Live
http://www.nanotechnologies.qc.ca/propos/linux/

This distribution is ideal for beginners. Tao Live is a bootable CDROM with a collection of software and automatic hardware detection. It is not necessary to install anything on your hard disk to use Tao Live.

Tilix
http://tilix.org/

Tilix is a Bulgarian Linux based operating system, easy to use for beginners and for advanced users. The distribution can work directly from CD or can be installed to you hard drive. The distribution can work directly from CD or can be installed to you hard drive. The hardware recognition is automatic. The hardware recognition is automatic.

Ubuntu
http://www.ubuntu.com/

Ubuntu is a community developed, Linux-based operating system that is perfect for laptops, desktops and servers. It contains all the applications you need – a web browser, presentation, document and spreadsheet software, instant messaging and much more.

VectorLinux
http://vectorlinux.com/website2/

Speed, performance, stability are the attributes that set VectorLinux apart from the crowded field of Linux distributions. The creators of VectorLinux had a single credo: keep it simple, keep it small and let the end user decide what their operating system is going to be. What has evolved from this concept is perhaps the best little Linux operating system available anywhere. For the casual computer user you have a lightning fast desktop with graphical programs to handle your daily activities from web surfing, sending and receiving email, chatting on ICQ or IRC to running an ftp server. The power user will be pleased because all the tools are there to compile their own programs, use the system as a server or perhaps the gateway for their home or office computer network. Administrators will be equally as pleased because the small size and memory requirements of the operating system can be deployed on older machines maybe long forgotten.

Xfld
http://www.xfld.org/

Xfld – ‘Xfce live demo’ – is a liveCD , demonstrating the latest version of Xfce desktop environment and providing a complete Gnu/Linux operating system (based on Ubuntu), which could be run directly from the CD. In contrast to the Xubuntu install CDs, the Xfld CD contains all tools and applications necessary for both productive usage with graphical interface and command line interface. Furthermore the main purpose of Xfld is demonstrating the latest Xfce.

Education LiveCD

Providing a collection of educational programs and/or used in and education or seminar environment.

Bioknoppix
http://bioknoppix.hpcf.upr.edu/

This LiveCD is for education and bio research. Bioknoppix is a customized distribution of Knoppix Linux Live CD. With this distrubution you just boot from the CD and you have a fully functional Linux OS distribution with open source applications targeted for the molecular biologist. Beside using some RAM, Bioknoppix doesn’t touch the host computer, being ideal for demonstrations, molecular biology students, workshops, etc.

Fiubbix
http://moin.lug.fi.uba.ar/FiubbixDistro

fiubbix is a Live-CD (booteable distribution and 100% usable from a CD-ROM) derivative of Knoppix, adapted for use by students of the Faculty of Engineering at the UBA (though probably useful for other universities and engineering in public Overall).

Freeduc
http://www.ofset.org/freeduc-cd/

Until now — and probably for a while in most heads — the GNU/Linux system at school has been perceived as a good replacement of other proprietary servers. However the server is probably the least important things in term of freedom in a school network. It doesn’t allow a teacher to share a workstation software with students. Supporting GNU/Linux in the workstation side can grant higher freedom and liberty between users in a school.. Therefore, OFSET has setup Freeduc, a tool to help to list, to evaluate and to package only free — non GPL exclusive – edu soft.

LUC3M
http://crisol.uc3m.es/content/view/12/30/

Spanish education based livecd. LUC3M (read ‘Lucem’, accusative of Lux, or “Light”), being developed by the CRUCIBLE group (information resource centre and free software), staying within the Computing Service of the Univerity Carlos III of Madrid. Its aim is to develop a distribution to facilitate teaching, including applications for conducting practices and content development. Although, in principle, it’s aimed at students, teachers and administrative staff and includes applications that can meet the needs anyone.

The DVD versions of old boots LUC3M distribution Live allowing work as if it were installed on the hard drive. A main advantage is that to run from the DVD drive, there is no need to install, and therefore can be tested without changing the configuration of equipment.

Skole Linux
http://www.skolelinux.org/en/

Skolelinux is a complete tailored software solution for the needs of any educational institution or school. It is a ready computer system were your school does not need to piece together the components.

What makes Skolelinux unique is that any teacher can kickstart a whole network of computers within an hour. Experts and teachers have together handpicked the software that any school would need for it’s daily education of pupils and packaged it for a tailored solution for schools and educational purposes, made easy to install.

Entertainment LiveCD

Providing audio, video (multimedia) environments.

AmaroK Live
http://amarok.kde.org/wiki/Amarok_Live#Amarok_Live

An entertainment LiveCD version. Amarok Live is a stripped down LiveCD with a fully functional Amarok music player bundled with the tracks commissioned last year by Wired Magazine, which are distributed under the Creative Commons Sampling Licenses.

Insert the CD and boot. In most cases, you can just hit return at the ISOLinux boot prompt. There are various cheat-codes / boot-parameters, that you can use if case of hardware trouble.

ByzantineOS
http://byzgl.sourceforge.net/wiki/index.php/Main_Page

A software internet appliance with a home entertainment bias. It is based on a networked Linux distribution/bootable system with Mozilla providing access to a range of services and applications. Fits in 32MB (or 48MB) of media and should work on any x86 based PC.

GeeXboX
http://www.geexbox.org/en/index.html

GeeXboX is a free embedded Linux distribution which aims at turning your computer into a so called HTPC (Home Theater PC) or Media Center. Being a standalone LiveCD-based distribution, it’s a ready to boot operating system than works on any Pentium-class x86 computer or PowerPC Macintosh, implying no software requirement. You can even use it on a diskless computer, the whole system being loaded in RAM.

Despite his tiny ISO image size, the distribution comes with a complete and automatic hardware detection, not requiring any driver to be added. It supports playback of nearly any kind of audio/video and image files and all known codecs and containers are shipped in, allowing playing them through various physical supports, either being CD, DVD, HDD, LAN or Internet.

GeeXboX also comes with a complete toolchain that allows developers adding easily extra packages and features but that might also be used to give birth to many dedicated embedded Linux systems.

MoviX
http://movix.sourceforge.net/

MoviX is a light media distribution that supports streaming, TV cards, slideshows, internet radio, infrared controllers and others. MoviX can boot from CDs, HDDs, USB Flash Drives, CompactFlash cards and network. MoviX2 is a spin-off project that features X alongside the usual MoviX configuration.

eMoviX is a tiny GNU/Linux distribution that plays video files when booted, based on MPlayer. It is utilised by MoviXMaker-2 and K3b.

MoviX distributions are very compact. In fact, smaller than Damn Small Linux.

Musix GNU+Linux
http://www.musix.org.ar/en/index.html

It’s a 100% free multimedia operating system intended for music production, graphic design, audio and video edition, and all kind of tasks. It contains an enormous collection of free (as in freedom) programs that can replace Windows.

Mayah OS
http://myah.org/

Myah OS is a performance desktop operating system. Made for home use with a focus on Internet, Office, and multimedia. Myah OS has been optimized for i686 processors for fast performance. Myah OS is an original Linux distro, compiled from build scripts written by Jeremiah Cheatham.

StreamBOX
http://streambox.org/

StreamBOX-LiveCD is a selfmade, KNOPPIX based Boot-CD, which is specially designed to stream MP3. Also there are some programs to stream in the OGG-Vorbis-Format.

Wolvix
http://wolvix.org/

Wolvix is a LiveDistro built from Slackware and the Linux-Live scripts. It’s a desktop and multimedia oriented Linux distribution designed to suit the needs of regular to advanced desktop users. Wolvix comes with the Xfce desktop environment and the Fluxbox window manager and includes a carefully selected group of development, graphics, multimedia, network and office applications.

Firewalls LiveCD

Providing firewall solutions.

Formilux
http://formilux.ant-computing.com/

Formilux is a very light and secure Linux distribution. It is targetted at internet servers, routers, firewalls and semi-embedded systems. It requires a very limited administration but needs fairly skilled administrators. Installing a secured proxy or a firewall just requires about 12 MB and a few minutes.

Linux LiveCD Router
http://www.wifi.com.ar/english/cdrouter/

Speed-up your Internet connection! Linux LiveCD Router allows you to share, firewall and optimize your broadband connection. You can use DSL, ADSL, Cable Modem, T1, Fixed IPs, Dial-Up, WiFi and more. Includes traffic priority settings for VoIP and other apps. Can avoid ISP traffic limiting.

m0n0wall
http://m0n0.ch/wall/

m0n0wall is a project aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep things transparent. m0n0wall is probably the first UNIX system that has its boot-time configuration done with PHP, rather than the usual shell scripts, and that has the entire system configuration stored in XML format.

redWall Firewall
http://www.redwall-firewall.com/

redWall is a bootable CD-ROM Firewall. It’s goal is to provide a feature rich firewall solution, with the main goal, to provide a webinterface for all the logfiles generated!

Sentry Firewall CD
http://www.sentryfirewall.com/

Sentry Firewall CD-ROM is a Linux-based bootable CDROM suitable for use as an inexpensive and easy to maintain firewall, server, or IDS(Intrusion Detection System) Node. The system is designed to be immediately configurable for a variety of different operating environments via a configuration file located on a floppy disk, a local hard drive, and/or a network via HTTP(S), FTP, SFTP, or SCP.

The Sentry Firewall CD is a complete Linux system that runs off of an initial ramdisk, much like a floppy-based system, and a CD. The default kernel is a current 2.4.x series kernel with various Netfilter patches applied. An OpenWall-patched current 2.2.x kernel is also available on the CD.

Forensics LiveCD

Providing environments that contain forensic tools.

F.I.R.E.
http://biatchux.dmzs.com/

FIRE is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment.

Also provides necessary tools for live forensics/analysis on win32, sparc solaris and x86 linux hosts just by mounting the cdrom and using trusted static binaries available in /statbins.

Helix
http://www.e-fense.com/helix/

Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques.

Penguin Sleuth
http://www.linux-forensics.com/

Penguin Sleuth Kit, based on Knoppix, is a virtual computer forensics and security platform.

Gaming LiveCD

Providing gaming platforms.

AdvanceCD
http://advancemame.sourceforge.net/

A gaming version on a bootable live CD, DVD and USB disk of a minimal Linux distribution containing the AdvanceMAME emulator.

Freduc
http://www.ofset.org/freeduc-games

French. With GNU/Linux can be fun! Thet offer a special edition of Freeduc-cd dedicated to video games. Uses XFCE and is based on KNOPPIX/Debian, which allows them to easily add and develop additional software packages.

KnoppiXMAME
http://sourceforge.net/projects/knoppixmame/

KnoppiXMAME is a bootable CD/DVD image with hardware automatic probing and configuration for playing MAME games. No games are included, but they can be added to the ISO image, as well as new versions of X-MAME, gxmame, and the Linux kernel.

Medical LiveCD

Providing medical systems or applications.

CDMEDIC LIVE CD
http://cdmedicpacsweb.sourceforge.net/cdmedic_en.html

Full featured free PACS based on ctn, dcmtk and mysql,with remote administration using apache mod perl and imaging processing capabilities using ImageMagick, Grevera’s dcm2pgm DICOM converter and AFNI, running in a Knoppix based live CD in less than 5 minutes without hard disk installation, with interesting programs CTSim, XMedcon, Amide, FSL and Slicer. This is medical based.

OIO System
http://www.txoutcome.org/

Open Infrastructure for Outcomes (OIO) system enables clinicians, researchers, and other non-programmers to create and maintain flexible and portable patient/research records. It aims to achieve the ” Holy Grail ” of data portablity as elegantly described by John G. Faughnan.

The major components of the OIO system are the web-accessible OIO Server and OIO Library. OIO Server is a highly flexible web-based data management system that manages users, patients, and information about patients. (Of course, the same system can just as easily manage information about customers, invoices, shipments, and accounts.)

Toophpix
http://truth.positive-internet.com/~mpreston/tp/tp0412intro.html

Based on Knoppix, it sets up a LAMP server in RAM and facilitates various dental resources.

WorldVistA
http://sourceforge.net/projects/worldvista

Furthering the cause of affordable healthcare information technology worldwide by advocating, championing, and employing the open source paradigm to expand the use and collaborative improvement of the VistA electronic health record.

Public Livecd

Providing environments that can be quickly launched for general public use.

Firefox LiveCD
http://linux.softpedia.com/get/System/Operating-Systems/Other/Firefox-LiveCD-4686.shtml

Firefox LiveCD is LiveCD similar to LiveKiosk, but with original binary version of Mozilla Firefox. No changes were done to user interface and everything is set to Firefox defaults.

LiveFirefox is intended for people who want to have custom Firefox based LiveCD, but find LiveKiosk unsuitable for this purpose.

KioskCD
http://www.kioskcd.com/

Your PC boots from the CD and a web browser appears — that’s it! Use wherever you want to supply Web access to people, without worrying about what they will do to your computer.

MorphixLiveKiosk
http://www.morphix.org/

MorphixLiveKiosk is a Morphix CD, based on the previous LiveCDs released by LiveCD.net. It is a LiveCD that contains a locked down version of firefox-browser. Boot the computer using the LiveCD and you can use the browser – nothing else (well apart from a screensaver), close the brower and all the viewing history is deleted from memory.

Rescue LiveCD

Providing tools needed for data rescue and recovery.

Crash Recovery Kit for Linux
http://crashrecovery.org/

A rescue disk. Crash Recovery for Linux sounds a bit superfluous. Linux is regarded as one of todays most stable Operating Systems. In the case of some hardware failure like a broken disk it can however be handy. Of course your machine doesn’t have to have linux installed to make use of the CRK kit. There are several uses and purposes for the CRK to be used. To name a few:

Recovery of a trashed LILO boot record. How many times does it happen that some person installs windows 98/95 after he/she installed linux? Well in that case windows 9X just overwrites the MBR record and linux won’t be able to boot anymore.

Backup over the network in the form of tar.gz tarballs. Both FAT16, FAT32, ext2 and all filesystems which Linux supports in a read/write fashion can be taken care of. The strong part of the CRK is when a disk is replaced or repartitioning is being done. The CRK boots a complete mini linux with networking where all possible hardware which is inside the Linux kernel is available.

Testing hardware of new intel based machines.

Detecting versions and types of hardware. The Linux kernel holds a large database of hardware supported. Booting a linux kernel doesn’t only resolve if the hardware is ok, it also show its specs. This can be handy if one wants to check-out an old/new PC which is for sale.

Recovery of a misconfigured or hacked Linux system. Well that can happen. /etc/fstab can be wrong or the root password is unknown etc.

Make a tape backup of a disk which can’t be booted anymore.

The CRK is based on RedHat Linux.

FreeBSD LiveCD
http://livecd.sourceforge.net/

The FreeBSD LiveCD Tool Set has a main goal, which is to allow one to generate their own custom FreeBSD Live CDs.

Hiren’s Boot CD
http://www.hiren.info/pages/bootcd

Appears to be primarily focused on WIndows systems. Therefore it may be an exception to this list. :)

Julex
http://julexlinux.sourceforge.net/

Julex is a Knoppix Based Linux distribution aimed at users that want to get files back from their hard drive after their computer fails to boot, Troubleshoot their pc, Get on the net in a hurry or just as a small light (no bloat) distro to use on their old (or new if so inclined) computer.

PLD Rescue CD
http://rescuecd.pld-linux.org/

PLD RescueCD is a bootable disk that contains a live Linux distribution based on PLD Linux (2.6.24.3 modular kernel) made in Poland. Furthermore this version uses transparent compression (squashfs) to fit about 180 MB of software onto a single mini CD in usable form.

PLD RescueCD can be used to rescue ailing machines, perform intrusion post-mortems, act as a temporary secure linux-based workstation (using ssh, vpn connecting to remote host – other networking clients are also supported), install PLD Linux, and perform many other tasks that we haven’t yet imagined. It provides a much nicer rescue environment than your average rescue floppy.

PLoP Linux
http://www.plop.at/page_en_4.html

PLoP Linux is a small distribution that can boot from CD, DVD, USB flash drive (UFD), USB harddisk or from network with PXE. It’s designed to rescue data from a damaged system, backup and restore operating systems and more.

RIP
http://www.tux.org/pub/people/kent-robotti/looplinux/rip/

(R)ecovery (I)s (P)ossible Linux rescue system. It’s a regular ISO used to created a system rescue CD. Make sure the program you use to download it understands it’s a binary file. If it’s downloaded as a text file it could get corrupted and be unusable.

SystemRescueCd
http://www.sysresccd.org/Main_Page

SystemRescueCd is a Linux system on a bootable CDROM for repairing your system and recovering your data after a crash. It aims to provide an easy way to carry out admin tasks on your computer, such as creating and editing the partitions of the hard disk. It contains a lot of system utilities (parted, partimage, fstools, …) and basic tools (editors, midnight commander, network tools). It is very easy to use: just boot the CDROM. The kernel supports most of the important file systems (ext2/ext3, reiserfs, reiser4, xfs, jfs, vfat, ntfs, iso9660), as well as network filesystems (samba and nfs).

Trinity Rescue Kit
http://trinityhome.org/Home/index.php?wpid=1&front_id=12

Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues. It is possible to boot TRK in three different ways: As a bootable CD which you can burn yourself from a downloadable isofile, ffrom a USB stick/disk (optionally also a fixed disk), installable from Windows or from the bootable TRK cd, from network over PXE, which requires some modifications on your local network.

Ultimate Boot CD
http://ubcd.sourceforge.net/

You need the Ultimate Boot CD if you want to Run floppy-based diagnostic tools from CDROM drives, Free yourself from the slow loading speed of the floppy drive, Consolidate as many diagnostic tools as possible into one bootable CD or Run Ultimate Boot CD from your USB memory stick. When you boot up from the CD, a text-based menu will be displayed, and you will be able to select the tool you want to run.

The selected tool actually boots off a virtual floppy disk created in memory.

Security LiveCD

Providing various network security type tools.

Arudius
http://www.fosstools.org/

A security based Linux version. An information assurance (IA) Linux live CD, used by information assurance professionals to help them assess systems and ensure the confidentiality, integrity, and availability of data. The CD is loaded with with tools for penetration testing and vulnerability analysis. Information assurance has many other aspects besides network security. However, it seems that the mainstream public identifies information assurance primarily with securing network-accessible systems, so they decided to go with the mainstream and call Arudius a tool for information assurance. The CD consists of a Zenwalk Linux base on top of which a large collection of network security testing software has been installed – including tools listed on Insecure.org Top 75 list plus many other tools listed on Freshmeat, Sf.net and other information assurance sites around the world.

BackTrack
http://www.remote-exploit.org/backtrack.html

A security related Linux LiveCD that is touted as the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

BSI OSS
http://www.bsi.bund.de/produkte/boss/index.htm

Security based. The Open Source Software BOSS (BSI OSS Security Suite) essentially builds on the proven security scanner Nessus. The BOSS addition to the Security Local Auditing Daemon (SLAD), ensures the integrated management of local security software takes over.

Frenzy
http://frenzy.org.ua/eng/

Frenzy is a “portable system administrator toolkit,” LiveCD based on FreeBSD. It generally contains software for hardware tests, file system check, security check and network setup and analysis. Size of ISO-image is 200 MBytes (3″ CD).

grml
http://grml.org/

grml is a bootable CD (Live-CD) originally based on Knoppix and more recently based on Debian. grml includes a collection of GNU/Linux software especially for system administrator and users of texttools.

grml provides automatic hardware detection. You can use grml (for example) as a rescue system, for analyzing systems/networks or as a working environment. It is not necessary to install anything to a harddisk; you don’t even need a harddisk to run it. Due to on-the-fly decompression grml includes about 2.1GB of software and documentation on the CD.

Insert
http://www.inside-security.de/insert_en.html

INSERT is a complete, bootable linux system. It comes with a graphical user interface running the fluxbox window manager while still being sufficiently small to fit on a credit card-sized CD-ROM.INSERT contains a multitude of useful tools to be at your hand in a variety of situations.

Navyn OS
http://navynos.linux.pl/

Navyn OS is a gnu/linux distribution based on Gentoo. Gentoo isn’t a typical distribution like Debian or Slackware, it doesn’t even have an installer, it is similar to making your own distribution. The main part of Gentoo is portage, a set of scripts for installing and removing programs.

Network Security Toolkit
http://www.networksecuritytoolkit.org/nst/

This bootable ISO live CD is based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of Open Source Network Security Tools.

Plan-B
http://www.projectplanb.org/

Plan-B is a bootable Linux environment without the need for a hard drive, it runs entirely in ram or from the cd, based on a basic, stripped installation of Red Hat Linux and the fundamental workings of the SuperRescue CD.

STD
http://www.knoppix-std.org/

STD is a Linux-based Security Tool. Actually, it is a collection of hundreds if not thousands of open source security tools. It’s a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. Its sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can.

STD is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. STD assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, it’s best you start with another live Distro like Knoppix to practice the basics.

WarLinux
https://sourceforge.net/projects/warlinux/

A linux distribution for Wardrivers. It is available on disk and bootable CD. It’s main intended use is for systems administrators that want to audit and evaluate thier wireless network installations. Should be handy for wardriving also.

Servers LiveCD

Providing server systems.

ATMission
http://www.atconsultancy.nl/atmission/

A server and desktop Linux LiveCD. The main advantage of ATmission compared to other Live Linux CD’s is its flexibility. You can modify any file on the ATmission Live CD. This implies that you can: create user accounts, install additional RPM’s, start a database on boot, configure a firewall, etc… anything you can do with a normal Linux system, and preserve your changes in a file located on hard disk or a USB memory stick

Devil-Linux
http://www.devil-linux.org/home/index.php

Devil-Linux is a distribution which boots and runs completely from CDROM. The configuration can be saved to a floppy diskette or a USB pen drive. Devil Linux was originally intended to be a dedicated firewall/router but now Devil-Linux can also be used as a server for many applications. Attaching an optional hard drive is easy, and many network services are included in the distribution.

The system is designed to install without the use of a hard drive. It requires the use of a CDROM and a write-protected floppy. The CDROM provides the operating system, and the floppy provides the configuration information, via a tarball that is unpacked into the /etc directory. In this way, the system is fully configurable, yet the running system has no writeable device.

ffsearch-LiveCD
http://ffsearch.packetstorm.ch/

ffsearch-LiveCD is a modified Knoppix-Linux with Fast File Search running on top of it. This way, no installation is required! You can download an Iso, burn it on CD, put the disc in you CD-drive and boot it up. It crawls the net for SMB and FTP shares and provides you with a web interface for searching these files.

LAMPPIX
http://lamppix.tinowagner.com/

LAMPPIX allows you to burn your web projects (i.e. PHP presentations or Perl scripts) onto a CD-ROM and give them away to others. They will only have to insert the CD and reboot — if you configured LAMPPIX properly (and this is really easy!) they can view your project.

SoL
http://www.sol-linux.com/

It’s a server based system. There are tons of options, visit their site to learn more.

Zeroshell
http://www.zeroshell.net/eng/

Zeroshell is a small Linux distribution for servers and embedded devices aimed at providing the main network services a LAN requires. It is available in the form of Live CD or Compact Flash image and you can configure and administer it using your web browser.

[tags]linux, ubuntu, livecd, 130, desktop, lamp, open source[/tags]

“…if you have a basic knowledge of networking, you can install, use and maintain Untangle. With just a few steps, you can transform a rack of servers into one single point of control. And it works from the minute you set it up, providing instant protection…”

I thought I’d take a closer look at Untangle. For those not familiar with it. Untangle is a suite of applications which facilitate a Network Gateway. Some of the features are spam blocking, web filtering, firewall, routing, reporting, etc. It’s under the OpenSource banner and is free to use and download.

The download is an iso image which you can burn to CD and install an a PC based system. However, there are a couple caveats we need to be aware of. The installation should be performed on a PC dedicated to this function, because the installation will erase all data off the existing hard drive. If you’re seriously interested in trying Untangle, you’ll need to be aware of the recommended hardware specifications:

CPU – 2.0GHz
DDR – 1-2GB
HDD – 40GB
NIC – 2 or 3 if you’ll require DMZ

For those of us installing in a home network environment, small business, school, etc. The best place to locate your new Network Gateway is either between your ISP broadband (or other connection) and router, or between your router and the network itself.

Upon causal observation, it appears that this may be a simple solution to install. I suspect it’s the configuration that would take some common sense decisions. I’m downloading the package as I type this post and will burn to CD later this weekend.

Next month (April… only a couple days away), in part 2 of this post. I’ll perform the actual install and configuration and report back any issues as well as exciting features. If anyone else has experience with this suite, we’d like to read what you have to say (just comment about it). If this is as smooth and powerful as the Untangle web site suggests, I can think of at least a dozen places this could be used!

Stay tuned for April’s “part 2″ of this post.
Have a great weekend everyone!