Snowfence - a simple firewall for Zaurus

Snowfence is a simple firewall for the Sharp Zaurus, a GNU/Linux-based palmtop computer. It uses the Linux kernel's iptables firewall support to limit the ability of potential attackers to access the Zaurus's services remotely while still allowing the Zaurus's legitimate local user to make use of the network as usual.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (LICENSE in the source distribution) for more details.


IPK package:
snowfence_1.2_arm.ipk (2473 bytes)
Note that some web browsers will automatically decompress .ipk files when downloading, effectively destroying them. Make sure the length of the downloaded file matches the length shown above.

Iptables support

In order to run Snowfence, you will first need to install (1) the iptables kernel modules and (2) the iptables utility programs. Most Zaurus ROMs, including the standard ROMs from SHARP, do not come with this software installed by default. However, you should be able to find packages on the web. Check your favorite software feed.

Note that, unlike most application software, iptables kernel module packages are apt to be specific to a particular Linux kernel version. These are the packages I use on my SL-6000 (Sharp ROM 1.12, Linux kernel 2.4.18):

For those who are using different ROMs or Linux kernels, I've had reports of success from: The package names may vary slightly between feeds. Expect at least two packages: one for the kernel modules and one for the utility programs.

How it works

This section contains the part of the Snowfence script that sets up the firewall, with explanatory comments.

    # Empty all tables and set default policies:
    # Unless specifically permitted below, drop all incoming
    # packets.  No forwarding.  Outgoing packets are allowed.
    iptables -F INPUT
    iptables -P INPUT DROP
    iptables -F FORWARD
    iptables -P FORWARD DROP
    iptables -F OUTPUT
    iptables -P OUTPUT ACCEPT

    # Allow incoming packets on the loopback and usb
    # interfaces.  These rules permit normal usage of
    # local programs and the cradle.
    iptables -A INPUT -i lo   -j ACCEPT
    iptables -A INPUT -i usb+ -j ACCEPT

    # On the remaining interfaces (Ethernet, wireless, and so on),
    # allow incoming packets only if they are part of, or
    # related to, an existing session.  In other words, your
    # Zaurus will participate in conversations with other
    # computers only when *you* start the conversation, not
    # *them*.  Consequently, you should be able to browse the
    # web, read and send E-mail, and so on, as usual.
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # That's all for the standard rules.  Here are some hints for
    # customizing the firewall for more advanced needs.  If you
    # would like to run some server on your Zaurus, uncomment the
    # appropriate line below, or add your own.
    # For sshd:
    # iptables -A INPUT -p tcp --dport ssh -j ACCEPT
    # For a web server:
    # iptables -A INPUT -p tcp --dport www -j ACCEPT

How to make sure it's working

The install script automatically starts the firewall. Also, it installs the proper links in /etc/rc.d to start the firewall on reboot. You can start and stop the firewall manually by running /etc/rc.d/init.d/firewall start and stop, respectively.

Here are two ways to verify that Snowfence is running:


Initial release.
Generalized to support different ROMs.
Generalized to support iptables utility .ipks that put the iptables command in directories other than /usr/local/sbin.

Feedback is welcome. If you'd like to report a successful install of Snowfence, please include the model of your Zaurus, your ROM version number, and your Linux kernel version number, if possible. Follow the link below for my E-mail address.

Tim Fraser's homepage at the WPI alumni site

$Id: index.html,v 1.8 2005/11/26 18:11:42 tim Exp $