Snowfence - a simple firewall for Zaurus

Snowfence is a simple firewall for the Sharp Zaurus, a GNU/Linux-based palmtop computer. It uses the Linux kernel's iptables firewall support to limit the ability of potential attackers to access the Zaurus's services remotely while still allowing the Zaurus's legitimate local user to make use of the network as usual.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (LICENSE in the source distribution) for more details.

Download

IPK package:: snowfence_1.2_arm.ipk (2473 bytes)
Source:: snowfence-1.2.tar.gz

Note that some web browsers will automatically decompress .ipk files when downloading, effectively destroying them. Make sure the length of the downloaded file matches the length shown above.

Iptables support

In order to run Snowfence, you will first need to install (1) the iptables kernel modules and (2) the iptables utility programs. Most Zaurus ROMs, including the standard ROMs from SHARP, do not come with this software installed by default. However, you should be able to find packages on the web. Check your favorite software feed.

Note that, unlike most application software, iptables kernel module packages are apt to be specific to a particular Linux kernel version. These are the packages I use on my SL-6000 (Sharp ROM 1.12, Linux kernel 2.4.18):

For those who are using different ROMs or Linux kernels, I've had reports of success from:

a SL-C3100 user (Sharp ROM 1.02JP, Linux kernel 2.4.20) who downloaded his iptables packages from the Zaurus User Group feed, and
an OpenZaurus user who downloaded his iptables packages from the OpenZaurus feed.

The package names may vary slightly between feeds. Expect at least two packages: one for the kernel modules and one for the utility programs.

How it works

This section contains the part of the Snowfence script that sets up the firewall, with explanatory comments.

    # Empty all tables and set default policies:
    # Unless specifically permitted below, drop all incoming
    # packets.  No forwarding.  Outgoing packets are allowed.
    iptables -F INPUT
    iptables -P INPUT DROP
    iptables -F FORWARD
    iptables -P FORWARD DROP
    iptables -F OUTPUT
    iptables -P OUTPUT ACCEPT

    # Allow incoming packets on the loopback and usb
    # interfaces.  These rules permit normal usage of
    # local programs and the cradle.
    iptables -A INPUT -i lo   -j ACCEPT
    iptables -A INPUT -i usb+ -j ACCEPT

    # On the remaining interfaces (Ethernet, wireless, and so on),
    # allow incoming packets only if they are part of, or
    # related to, an existing session.  In other words, your
    # Zaurus will participate in conversations with other
    # computers only when *you* start the conversation, not
    # *them*.  Consequently, you should be able to browse the
    # web, read and send E-mail, and so on, as usual.
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # That's all for the standard rules.  Here are some hints for
    # customizing the firewall for more advanced needs.  If you
    # would like to run some server on your Zaurus, uncomment the
    # appropriate line below, or add your own.
    #
    # For sshd:
    # iptables -A INPUT -p tcp --dport ssh -j ACCEPT
    #
    # For a web server:
    # iptables -A INPUT -p tcp --dport www -j ACCEPT

How to make sure it's working

The install script automatically starts the firewall. Also, it installs the proper links in /etc/rc.d to start the firewall on reboot. You can start and stop the firewall manually by running /etc/rc.d/init.d/firewall start and stop, respectively.

Here are two ways to verify that Snowfence is running:

Try to ping your Zaurus from another machine. If Snowfence is not running, your Zaurus should respond to pings. If Snowfence is running, it should not respond at all.

Alternately, you can run the lsmod command to make sure the firewall startup script has loaded the iptables, iptables-filter, and ipt_state modules. Then run the iptables -vL command. (You may find iptables installed in /sbin, /usr/sbin, or /usr/local/sbin depending on the whim of whoever packaged it.) It should output a list of rules for Chain INPUT that corresponds to the rules explained above. For example, on my Zaurus the output is:

Chain INPUT (policy DROP 10 packets, 840 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7443  723K ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     all  --  usb+   any     anywhere             anywhere            
   80 14142 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 7561 packets, 735K bytes)
 pkts bytes target     prot opt in     out     source               destination

The packets, pkts and bytes numbers are apt to be different; this is OK.

Changelog

1.0: Initial release.
1.1: Generalized to support different ROMs.
1.2: Generalized to support iptables utility .ipks that put the iptables command in directories other than /usr/local/sbin.

Feedback is welcome. If you'd like to report a successful install of Snowfence, please include the model of your Zaurus, your ROM version number, and your Linux kernel version number, if possible. Follow the link below for my E-mail address.

Tim Fraser's homepage at the WPI alumni site

$Id: index.html,v 1.8 2005/11/26 18:11:42 tim Exp $