[ Home ] [ GeoIP ] [ Tools ] [ Tips ]

LEAF - Linux Embedded Appliance Firewall

LEAF is a stripped down Linux distribution that runs of any bootable read-only device. It is primarily intended to be used for firewall and router appliances but today holds various other functions. There is still an active community on this SourceForge project, so if you like to know more about LEAF you can read all about it on the projects homepage.
This page holds some of the tweaks that I performed on LEAFs Bering uClibc distribution. I've placed them here because I realize that only some of you may actually like these tweaks and would want to use them. I would not want to confuse newbies and therefore feel these contributions should probably not be included in the main distribution. I also do not follow every new release of LEAF and will not upload any modules for other versions than the one I use myself.

lrpStat

lrpStat was first created by Martin Hejl in 2000. The website is still up but has been inactive for several years. The normal script will output traffic measured on the ethernet ports of your LEAF machine. I rewrote the script submitted by Andrew Hoying on Martins Tips page so it will run on any LEAF distribution and show CPU usage and number of connections. If you think you can optimize this script: don't! The script originates from many trials and even more errors. 
#!/bin/sh -e
trap "exit 1" 1
trap "exit 1" 2

path=/bin:/sbin:/usr/bin:/usr/sbin
export path

getcpu() {
  grep "cpu " /proc/stat | while read a b c d e; do echo `expr $b + $c + $d` `expr $b + $c + $d + $e`; done
}


testcpu() {
  echo $* | while read a b c d; do d1=`expr $c - $a`; d2=`expr $d - $b`; echo `expr ${d1}00 / ${d2}`; done
}



cpu1=`getcpu`
ctxt1=`grep "ctxt" /proc/stat | sed 's/[^ ]* *//'`
ctxt=0
cpu=0
connects=0
uniq=0
sleep 2

while [ 1 ]
do
  cpu2=`getcpu`
  ctxt2=`grep "ctxt" /proc/stat | sed 's/[^ ]* *//'`
  cputest=`testcpu $cpu1 $cpu2`
  if [ $cputest -ne 0 ]
  then
    cpu=`expr $cpu + $cputest`
  fi
  cpu1=$cpu2
  ctxtdiff=`expr $ctxt2 - $ctxt1 - ${ctxt}0`
  ctxtest=`expr $ctxtdiff / 10`
  ctxt=`expr $ctxt + $ctxtest`
  diffconnects=`cat /proc/net/ip_conntrack|wc -l`
  connects=`expr $connects + $diffconnects`
  diffuniq=`cat /proc/net/ip_conntrack |cut -d= -f 2|cut -d' ' -f 1|sort -u|wc -l`
  uniq=`expr $uniq + $diffuniq`
  cat /proc/net/dev
  echo cpu0:$cpu $cputest 0 0 0 0 0 0 $ctxt $ctxttest 0 0 0 0 0 0 0
  echo conn0:$connects $diffconnects 0 0 0 0 0 0 $uniq $diffuniq 0 0 0 0 0 0
  echo \#

  sleep 2
done

GeoIP

GeoIP is a Netfilter patch by Nicolas Bouliane and Samuel Jean. It allows you to base firewall rules on geographical location. There is some controverse on this patch that is considered by some as being racist. I have a simple reason for using it. I have collegues working throughout the country that may need to access services on our internal network. I have absolutely no need though for anyone else doing the same as my intended users and the GeoIP module allows me a quick primary filter on anyone that should not try to access any of these services. It gets even better: since any hacker that is not stopped by the firewall has to be based within my own country it's fairly easy for me to take legal measures against any damage caused.
Note that you cannot define any of the GeoIP based rules in ShoreWall. I may upload an alternative later that offers basic firewall functionality based on ShoreWall configuration files combined with the option to use GeoIP as a target. No VPN and other fancy stuff though.

I have two downloads for GeoIP:
The GeoIP LEAF package designed for iptables 1.3.5 on Bering uClibc kernel 2.4.34. It may run on other kernels but it is crucial that you use the specified version of iptables. Unfortunately this version of iptables is not very descriptive and may show a very cryptic error if you forgot to load the included kernelmodule (ipt_geoip.o) so check this first if you're seeing errors.
Download the GeoIP LEAF package

The GeoIP package includes a fake database that only includes the zone "LO" that you can use to test functionality. Specifying "LO" filters on rfc1918 private ranges (10.0.0.0/8, 224.0.0.0/8, 192.168.0.0/16). You can overwrite this database with one you created yourself from the original listing on MaxMind
To create your own database you need the csv2bin utility available from the GeoIP authors website
Download the GeoIPdb LEAF package (GeoIP database from August 1, 2009) for a quick start.

Shamefully this host does not allow me to offer the files with the .lrp extension so there's a little action you should take to use these in LEAF. Unzip it :)

Last modified: August 7, 2009