Gibraltar project home page

What is Gibraltar ?

Gibraltar is a project that aims to produce a Debian GNU/Linux based router / firewall package. The package will be bootable directly from CD-ROM, thus it is not required to install it on harddisk.
It is planned to release all source codes under the terms of the GNU GPL.

Features

Since Gibraltar is based on Debian GNU/Linux, it will have all features that you would expect from a full-blown installation. These include, but are not limited to:

full IPv4, IPv6, IPX and Appletalk protocol support
static routing for all supported protocols

These options are supported for IPv4 and partially for IPv6:

dynamic routing: BGP4, BGP-4+, RIPv1, RIPv2, RIPng, OSPFv2, OSPFv3
routing based on source address, incoming interface, type of service, source / destination port, protocol type, ...
multicast routing
full NAT and masquerading support (even in combination with source-based routing)
transparent proxy support for
CBQ, CSZ, RED and others traffic control
RSVP
support for ethernet (10, 100, 1000 MBit/s), wireless, token ring, ARCnet, PPP, SLIP, PLIP, ISDN and HAM radio network interfaces
multiple interfaces supported (already tested with 12 interfaces )
advanced firewalling: stateful / non stateful
address configuration options: static, BOOTP, DHCP, dynamically via PPP
can act as a DHCP server to configure IPv4 clients
can configure IPv6 clients which use stateless autoconfiguration

Requirements

These are the minimal requirements for running Gibraltar:

Intel 486 compatible or better
16 MB RAM (it may or may not be possible to run with 8 MB, but this has not been tested)
floppy drive
any ATAPI or SCSI CD-ROM drive (does not have to be bootable)
network interface(s)

Normally, a Pentium class PC can handle multiple 100 MBit/s interfaces for routing, NAT and firewalling without problems. Optionally, a harddisk can be used to store log files and other persistent data. The main configuration data will be stored on a single floppy disk.

Design

Gibraltar is designed to work completely off the CD-ROM, with configuration data stored on a floppy disk. This is quite different from the common approach, where everything (program and configuration files) is stored on a hard disk. It might be uncommon and new, but there are quite a few advantages:

secure
easy setup
updates easy
easy handling of configuration (write-protected, backup, different versions)

However, there are also disadvantages of not storing the program files on a harddisk and I do not want to hide them:

a CD-ROM drive must be available
a software update needs a new CD-ROM and a reboot

There is also the option of installing Gibraltar completely on harddisk, thus eliminating the disadvantages. But if Gibraltar is installed completely or partially (only the program files, configuration data still stored on floppy disk) on harddisk, some of the advantages are lost. It will not be as secure as if it would be running from harddisk and if configuration files are stored on the harddisk, they can not be handled transparently.

Another design goal is to make it operational without a system console. There is no need for a keyboard or a monitor to be attached to the machine Gibraltar is running on. Everything can be configured over the network. Any operations that need to be done directly on the machine (e.g. inserting configuration disk during bootup) are possible without a monitor. When a disk needs to be inserted, the machine simply beeps. It is also possible to configure it fully over a serial line,

You can view the beginnings of a detailed project description in German. When I have finished the German version, I will translate it to English.

Here you will soon find the user documentation and the technical documentation of the internals too.

Status

The project just begun. At the moment I am working on getting my test installation to run with a read-only root filesystem. This is not that easy. The current Gibraltar CD works from its read only filesystem, but I am not sure if all of the software packages work without further changes. I have tested the standard daemons, ssh, webmin and postfix. If you encounter any problems, please tell me.
However, the initrd boot image is already working and I am quite happy with it. It does already all things it should: auto-detect SCSI adapters, load the appropriate modules, check for installed CD-ROM drives, search for the Gibraltar CD and set the root device to it. So, booting with it from a CD works, the init is called from the CD root file system.

Download

At the moment there are only pre-releases. It seems quite stable on my test machines, but you should not depend on it for productions machines now.

You can download it from one of the mirror sites (see below for the list).

The ISO images are now signed with my GPG/PGP public key. It is also available on public PGP key servers with the name "Rene Mayrhofer <rmayr@vianova.at>" and the ID "C3C24BDE".

Important note: After booting the downloaded version, the 'root' account on the system has the password 'gibraltar'. You should change this as soon as possible.

Attention: I was recently informed that at the moment it is illegal to use Gibraltar inside the USA because it contains code based on the RSA algorithm (it contains the openssl package which is used by others like openssh or libnet-ssleay-perl for providing https support for webmin). Until the RSA patent expires on 20. September 2000, these programs can not be used legally within the USA.
You can check the expiration of the patent here.
I think that software patents are very contra-productive. If you think so too then please sign the petition against software patents in Europe.

Mirror Sites

The administrators of these sites were kind enough to offer a mirror for Gibraltar. Normally, mirroring is done daily so new releases will show up on the mirrors on the next day. If you can, then wait for a day and download from the mirrors.

Attention: At the moment I try to find out if servers in the USA can legally mirror Gibraltar. It contains strong encryption software and therefore there might be problems when it is downloaded from an mirror in the USA (they call it "exporting" although the software has been put together outside the USA). So to be safe, you should download from a non-US mirror if you live outside the USA.

Mirror site Has been donated by Location

ftp://ftp.uselinux.org/pub/firewall/gibralter/ Teknix - http://alloy.net/ US

ftp://gd.tuwien.ac.at/opsys/linux/gibraltar/ Vienna University of Technology, Austria Austria

http://gd.tuwien.ac.at/opsys/linux/gibraltar/ Vienna University of Technology, Austria Austria

ftp://gibraltar.dhs.org/pub/ Olivier Brouckaert Belgium

ftp://gibraltar2.dhs.org/pub/ Olivier Brouckaert Belgium

rsync://open.hands.com/gibraltar/ Philip Hands UK

http://hanim.myip.org/pub/firewall/ Sukhairul Hanim Hj Kamaruddin Malaysia

http://202.186.83.121/pub/firewall/ Sukhairul Hanim Hj Kamaruddin Malaysia

Mirror site	Has been donated by	Location
ftp://ftp.uselinux.org/pub/firewall/gibralter/	Teknix - http://alloy.net/	US
ftp://gd.tuwien.ac.at/opsys/linux/gibraltar/	Vienna University of Technology, Austria	Austria
http://gd.tuwien.ac.at/opsys/linux/gibraltar/	Vienna University of Technology, Austria	Austria
ftp://gibraltar.dhs.org/pub/	Olivier Brouckaert	Belgium
ftp://gibraltar2.dhs.org/pub/	Olivier Brouckaert	Belgium
rsync://open.hands.com/gibraltar/	Philip Hands	UK
http://hanim.myip.org/pub/firewall/	Sukhairul Hanim Hj Kamaruddin	Malaysia
http://202.186.83.121/pub/firewall/	Sukhairul Hanim Hj Kamaruddin	Malaysia

Mailing list

There is a mailing list for Gibraltar that is used for announcements and discussions. At the moment, this list is very low-volume. If you are interested in Gibraltar, you can subscribe to the list here.

Contact

The author of all scripts used for booting a Debian GNU/Linux system from CD-ROM is Rene Mayrhofer. You can contact me directly (email to rene.mayrhofer@vianova.at) or via the Gibraltar mailing list.

This server is powered by Debian GNU/Linux.
The Secondary DNS Server for gibraltar.at has been donated by NetWay.