More specialty Linuxes to the rescue

The day of the mold-your-own OS has come, and Linux is the clay.

Linux provides free and open access to the source for the OS itself. Developers are free to tailor a custom Linux -- even down to the level of the kernel itself. You can trim away drivers, services, and other OS components unneeded by the task for which the custom distribution will be targeted.

[ Check out InfoWorld Test Center's previous roundup of specialized Linux distributions and killer open source monitoring tools. Read about the very best open source software products in InfoWorld's Best of Open Source Software Awards 2008. ]

In addition, because Linux thrives on a universe of free software, developers can be choosy about the pre-installed packages they supply with their custom system. One can easily construct a user environment tuned to a specific application.

The specialized Linuxes in this roundup showcase the advantages of customizing both OS components and user-level software. I look at a pair of firewall Linuxes, IPCop and m0n0wall; a Linux SAN/NAS appliance, OpenFiler; two Linuxes for musicians, Ubuntu Studio and Musix; and a final duo of distributions, Ubuntu Christian Edition and Ubuntu Muslim Edition, targeted at members of those corresponding religions.

IPCop
The firewall system IPCop is a fork of SmoothWall Linux (now called SmoothWall Express), which, in turn, is based on Red Hat Linux. The most recent releases of IPCop, however, have been created via LFS (Linux From Scratch).

On a typical Linux system, your interaction with the OS is either through an X-Windows based graphical desktop or a text-based shell. Not so with IPCop. Once started, it launches a Web server, which IPCop uses to host a management GUI. The first time you boot IPCop and enter the management GUI, you must configure the topological details of the intranet that IPCop will protect.

IPCop partitions your network into three color-coded zones. The Green zone is the most secure: IPCop insulates devices on the Green zone from all other zones. Green zone devices must be connected to the IPCop server via hardwired network connections. The next outward ring of protection is the Blue zone, which consists of wireless network devices. Blue zone devices are also insulated by IPCop's firewall system, but because this zone admits wireless access, it is necessarily less secure than the direct-wired Green zone. The outermost security ring is the Orange zone, which is that part of the local network exposed to the wider internet. The "outside world" is actually its own zone: Red. Naturally, Red zone traffic is completely uncontrolled by IPCop. Each zone attaches to the IPCop server through a dedicated Ethernet card. (A minimal IPCop system will have a Red zone and a Green zone.)

Web traffic can pass only from less secure to more secure zones through tightly controlled channels referred to as "pinholes." Basically, a pinhole is a set of rules (configured in the management console) that determines which packets are permitted into zones of higher security. Typically, the rules allow packets to be delivered to specific ports on specific machines in the secure zone. The underlying packet-routing decision-making in IPCop is performed by the iptables Linux application.