iceflatline

Recently I had the opportunity to deploy pfSense for a work-related project. Impressed with its features, performance and usability, I decided to incorporate it into my home network. This post will describe the basics of how to install and configure pfSense version 1.2.3 in a home network and offer some recommendations based on my experiences using it.

pfSense (i.e., “making sense of packet filtering”) is a customized version of FreeBSD tailored specifically for use as a perimeter firewall and router, and managed almost entirely from a web-based GUI. In addition to being a firewall and routing platform, pfSense includes a long list of other features, as well as a package system allowing its capabilities to be expanded even further. pfSense is free and open source and its source code is released under the BSD license.

Hardware Considerations

Minimum requirements

The minimum hardware requirements for pfSense include a 100 MHz CPU, 128 MB of system RAM, and a minimum of two Network Interface Controllers (NIC). Depending on how you decide to install pfSense, you may also need a hard drive with ~1 GB of free space as well as a CD-ROM drive or bootable USB drive in order to install pfSense to the hard drive (or to run the pfSense Live CD directly), or a 512 MB (minimum) Compact Flash (CF) card to install an embedded image of pfSense. These requirements are extremely modest, but unless your data throughput requirements are fairly de minimis, you’re likely going to want to use hardware offering a little better performance. Since a major contributor to throughput performance is the system’s CPU, let’s start there. pfSense published guidelines for CPU sizing recommends the following:

10-20 Mbps – no less than 266 MHz CPU

21-50 Mbps – no less than 500 MHz CPU

51-200 Mbps – no less than 1.0 GHz CPU

201-500 Mbps – server class hardware with PCI-X or PCI-e network adapters, or newer desktop hardware with PCI-e network adapters. No less than 2.0 GHz CPU

501+ Mbps – server class hardware with PCI-X or PCI-e network adapters. No less than 3.0 GHz CPU

Your choice of NICs will also have a significant impact on reliability and throughput performance. Low cost NICs, notwithstanding the potential long term reliability concerns, tend to rely much more on the system CPU to process segments and packets compared to their higher priced counterparts. Consequently, the better the NIC, the better the throughput performance you can expect from of a given CPU. In short, don’t be too frugal when it comes to the NICs you use. Intel NICs are well supported under *BSD and always a good choice. If possible use discreet NICs rather than the on-board ones featured on many motherboards.

You should also ensure you have enough system memory. How much you’ll need depends largely on how you decide to install and operate pfSense. You can elect to run pfSense directly from a Live CD, for example, but doing so will require more RAM than installing it on a hard drive. Some of the add-on packages will increase RAM requirements significantly as well. Snort and ntop, for example, are two packages that should not be installed on a system with less than 512 MB RAM cautions the pfSense development team. Another factor to keep in mind when considering memory requirements is the number of active network connections. pfSense keeps track of active connections using a state table. The default state table size is 10,000 entries, each requiring ~1 KB of RAM or 10 GB in total – likely more than adequate for handling most home networks, but if you require a significantly larger state table, keep system memory requirements in mind.

Compatibility

pfSense is purportedly compatible with any hardware supported by the FreeBSD version a particular pfSense build is based upon. pfSense version 1.2.3 for example is based upon FreeBSD v7.2. It’s always a good idea, however, to check the hardware you’re planning to use against the information contained in the FreeBSD 7.2-RELEASE Hardware Notesand the Hardware Compatibility section of the Frequently Asked Questions for FreeBSD 6.X, 7.X and 8.X. The pfSense forums are another good resource, useful for gleaning the hardware compatibility experiences of others.

My components

If you’re anything like me, you’ve likely managed (through no fault of your own of course) to build up quite a cache of “spare parts” as a result of upgrading various computers around the home or office. I was able to dig up the following parts to build my pfSense box:

Intel DG43NB motherboard

Intel E7500 2.93 GHz Core2Duo CPU

(2) Intel Pro/1000 PT (Intel 82772GI) NIC

Mushkin DDR2 667 (PC2 5300) 2GB RAM

Western Digital WD360GD 36GB SATA hard drive

PC Power & Cooling Turbo-cool 475 power supply

Lian-Li PC-60USB B2 mid-tower case

As you can see, these parts were more than adequate for my project based on pfSense’s minimum requirements and the hardware considerations discussed above. This particular Intel motherboard turned out to be a good choice because it includes on-board graphics, removing the requirement to install a discreet graphics card to a system that will operate headless 99% of the time. I also used a CD ROM drive, but only for the amount of time needed to install pfSense from the Live CD, after that it was no longer be needed.

Installation

In addition to the relatively low hardware requirements, pfSense also provides a number of options for installation.

First, you can simply run it directly from a Live CD or bootable USB drive. Any configuration changes you make can be saved on a floppy drive or USB flash drive. The downside to this approach, however, is that you won’t be able to install any of the add-on packages available to extend the capabilities of pfSense – and there are some really nice ones.

Another option is to install an embedded image of pfSense on a CF card rather than perform a full install on a hard drive. CF cards can handle a limited number of writes, so the embedded version runs as read only, while the file system runs as read/write from system memory. You’ll want to chose an embedded image that is sized less than or equal to the size of the CF card your planning to use. The newer embedded versions of pfSense based on NanoBSD have the ability to support some packages.

VMware users will also be happy to know that, starting with pfSense v1.2.1 RC2, a pfSense VMware appliance is available for use with the appropriate VMware products.

Finally, the pfSense Live CD includes an option to perform a full install to a hard drive. All add-on packages are fully supported using this method. Be aware though that the entire drive or slice will be overwritten. This is the install method I chose, primarily because pfSense was going to more or less take up permanent residency in my home network and I wanted the freedom to install and try any of the add-on packages.

Performing a full installation of pfSense on a hard drive is a straight forward. Having gone through the process a number of times though I would recommend a couple of preliminary steps. First, make a note of the Media Access Control (“MAC”) address for each NIC you’re installing in the system as well as its physical location in the motherboard. If your memory is as bad as mine, this will save you from wondering later “damn, now which NIC did I assign as the LAN interface?…” Second, disconnect the NICs from any LAN and WAN components until you have the box up and running and configured to your requirements. Finally, if you have other hard drives in the system I recommend disconnecting them until the installation is complete so as to not accidently install to the wrong drive.

Download a copy of the pfSense Live CD and burn it to a CD (or place it on a bootable USB drive). After booting the system using the disk, you’ll arrive at a screen listing the valid interfaces and a request to setup V-LANs (See Figure 1). If don’t plan to use V-LANs in your network, or perhaps have no immediate need for them, you can decline to configure them now and elect instead to configure them at any time after the installation using pfSense’s “webConfigurator” (webGUI) interface. Following the V-LAN option you’re asked to assign each of your interfaces to the role of either “LAN,” “WAN,” or “OPT” (Optional). Make a note as to which NIC you assigned to each interface. This will come in handy later when you physically connect them to the LAN, WAN, etc.

After configuring V-LANs, if desired, and assigning NICs to interfaces, the installation continues, eventually arriving at the pfSense console menu (See Figure 2). Note that pfSense initially configures the WAN interface to use DHCP and so you will not see an IP address assigned to that interface if it was left disconnected during installation or you use a static IP address. The LAN interface will be assigned the default address of 192.168.1.1. It’s also worth pointing out here that should you desire to forego a full installation to the hard drive and instead run pfSense from the LiveCD (not recommended), you essentially have only to reconfigure your LAN IP address, if desired, by selecting “Set LAN IP Address” (menu option 2), then point your browser to the LAN IP address you assigned and complete further setup and configuration using pfSense’s “webConfigurator” interface.

To proceed with installing pfSense to the hard drive, select “Install pfSense to a hard drive/memory drive, etc.” (menu option 99). The first screen to appear after this selection allows you to change a number of console settings (video font, screen map, or alternate keyboard) before continuing. Next, you’re presented with a list of installation options (See Figure 3). If you have only one hard drive connected to the system and no need for any custom options, select “Quick/Easy Install.” If you have more than one hard drive connected to the system, selecting this option will result in pfSense being installed to the first hard drive recognized by the system BIOS. Selecting “Custom Install” presents a choice of which hard drive to install to, along with a number of options related to drive formatting, geometry, partitioning, and bootblocks.

The final install screen offers a choice of custom kernel configurations. The processor in my system, for example, is an Intel dual core processor, so I chose the “Symmetric Multiprocessing Kernel” option. Note that if you plan to use an Intel processor supporting “Hyper-Threading,” you should be safe using this option. When the installation finishes you’re prompted to remove the disk and reboot.

Configuration

After pfSense is installed to the hard drive, it’s ready for further setup and configuration. I started by returning to the console menu and selecting “Set LAN IP Address” (menu option 2) so that I could configure pfSense’s LAN interface IP address to one that would fall within the subnet used within my network. This menu option also allowed me to activate pfSense’s DHCP server and define a range of IP addresses the server could use. Once the LAN IP address and DHCP server was configured, I connected to the LAN interface, fired up the web browser, and navigated to pfSense’s webGUI. The webGUI login is password protected – the default login is admin and the password is pfsense. Since this was my first time logging in to this installation of pfSense, I was greeted with its setup wizard (See Figure 4).

The setup wizard starts by asking you to define the hostname for your pfSense box, the domain where it will reside, and primary and secondary DNS servers. You can use any hostname you’d like but be aware of the following constraints: the hostname you chose must start with a letter, and after that contain only letters, numbers or a hyphen (e.g., “firewall” or “firewall-1″). The “Domain” field can be filled in with any fully qualified domain (e.g., “mysite.org”) or a name of your choice (e.g., “homenet”). The hostname and domain fields are combined to create the fully qualified domain name of your pfSense box (e.g., “firewall.mysite.org” or “firewall.homenet”). If your service provider provisions your service using DHCP, then the DNS fields will be likely be filled in automatically when you connect to your provider. If you plan to use a static WAN IP address, or simply prefer to use alternative DNS providers, then you should provide at least a primary DNS address at this point. For example, while my local cable operator provides DNS servers via DHCP, I prefer to use OpenDNS servers.

The next wizard screen is where a time server hostname and timezone are defined. Unless you have a specific reason to do otherwise, I recommend using the default host 0.pfsense.pool.ntp.org, which will automatically chose a random server from a pool of known good NTP servers.

Next, you’ll be taken to the WAN section of the setup wizard (See Figure 5). If your service provider provisions your service using DHCP, then you simply need to select “DHCP” from drop-down list, otherwise chose the appropriate service type. The “MAC Address” field under “General configuration” can be used to enter a MAC address that will pose as the MAC address of your WAN interface NIC. This feature came in quite handy in my case. My cable service provider in essence “binds” the WAN IP address to the MAC address of the device connected to the cable modem when it provisions service. Since my pfSense box would eventually replace an existing firewall, I simply copied the existing firewall’s MAC address in order to avoid the downtime that would otherwise occur as I sat on the phone with the service provider explaining the reason for the MAC address change. The “Block RFC1918 Private Networks” and “Block bogon networks” sections are selected by default in order to block invalid traffic from entering your network. The remaining sections in this portion of the setup wizard are specific to WAN service type chosen.

After the WAN section, you’ll encounter the final two sections of the setup wizard. These provide the opportunity to change, if desired, the LAN IP address as well as the default admin password. Note that this password also serves as the password for SSH access and the console menu (should you decide to password protect it).

At the conclusion of the setup wizard, you’ll select “Reload” and be returned to the webGUI. At this point basic connection options are configured enough to allow the pfSense box to be safely connected to the service provider and LAN. However, before bringing pfSense online in my network, I made several other optional changes to its configuration.

Password protect the console menu

While pfSense is managed almost entirely from its webGUI, it does allow some configuration management through its console menu (See Figure 2). By default, pfSense does not secure this menu, therefore, anyone who can physically connect a monitor to the box will have root level shell access. To prevent this (or at least make it more difficult), navigate to System -> Advanced and select “Password protect the console menu.” You’ll need to reboot the box for this change to take effect. Note that the user name for the console menu is always admin or root regardless of whether or not you change the login name for accessing the webGUI. However, the password in both cases will be the same.

NAT reflection

By default pfSense prevents hosts within the LAN from accessing your public IP addresses. This can be inconvenient at times, particular when testing port forwarding from within the LAN. To change this, navigate to System -> Advanced and unselect “Disable NAT Reflection.” Note the NAT reflection only works on ports you have built forwarding rules for, nor will it work for large port ranges (greater than ~500 ports). There is no need to reboot in order to invoke/un-invoke this option so you can use it on an as-needed basis if desired.

Packages

As mentioned, pfSense offers a fairly extensive package system allowing you to extend its capabilities. To find a list of packages that can be added, navigate to System -> Packages. Two packages I particularly like are rate, a package that adds a table of realtime bandwidth usage by IP address to Status -> Traffic Graphs (See Figure 6), and iperf, a tool for testing network throughput, loss, and jitter.

Firewall

Setting up NAT port forwarding and firewall rules in pfSense can be a bit daunting at first. Once you get the hang of it though you’ll realize just how flexible and powerful the system is. Options for configuring port forwarding and firewall rules can be found under Firewall -> NAT and Firewall -> Rules respectively. I recommend setting up any port forwarding rules you may have first. Then, for each port forwarding rule, you’ll need to set up an associated firewall rule.

DHCP

Options for configuring the DHCP server on the LAN interface can be found under and Services -> DHCP server. If you’re deploying pfSense in a typical home network where the availability of IP addresses is not of primary concern, one option you may want to consider changing is the default lease time of 7200 seconds (two hours). In order to pare down the number for lease requests in my network, I increased lease time to 604860 seconds (seven days). This is also the section where can assign static IP addresses to hosts if desired. I typically assign static IP addresses to servers and network devices (managed switches, network printers, etc.), as well as to any hosts I intend to build long-term port forwarding rules for.

UPnP

If you use Microsoft’s Xbox Live service in conjunction with your Xbox 360, you know what a pain in the ass it can be at times to get it to work reliability through your home network gateway/firewall. A common solution is to forward the necessary ports to the device, but what if you have two Xbox 360s? If you want one or more Xbox 360s to have reliable access to/from Xbox Live, the only real solution is to use Universal Plug and Play (UPnP). Fortunately, pfSense’s UPnP service works remarkable well. To activate it, navigate to Services -> UPnP and select “Enable UPnP,” then make sure the LAN interface is selected. That’s it. Your Xbox 360’s will discover pfSense’s UPnP server and the necessary port forwarding rules will be built automatically as needed. You can check which ports have been forwarded by navigating to Status -> UPnP.

Wake on LAN

Say I’m at the office and need to grab a file from a host on my home network. But what if that host is a laptop or desktop that isn’t normally powered on? With Wake on Lan implemented in the firewall, I can remotely instruct it to send the Wake on LAN “Magic Packet” to the host I need powered up. To setup Wake on LAN, navigate to Services -> Wake on LAN and enter the MAC addresses for the host or hosts you’d like to send Magic Packets to.

System Logs

I like having my logs arranged so that the newest entries appear first. To do that, navigate to Status -> System logs -> Settings and select “Show log entries in reverse order (newest entries on top).”

Bash

Occasionally, I want to forego pfSense’s webGUI and work directly through the shell (console menu option 8). In these cases, I’d prefer to use Bash over pfSense’s default tsch. To install bash you’ll need to use FreeBSD’s Packages System (the Ports Collection is not included in pfSense).

pkg_add -r bash

Once it’s installed, use the command exec bash to switch from tsch to Bash. If you’d like Bash to become the default shell in pfSense, then you’ll need to edit the file /etc/rc.initial. Open this file using your favorite editor and look for the following lines:

8)
        /bin/tcsh
        ;;

Replace /bin/tsch with /usr/local/bin/bash. Now, each time you access the shell you’ll default to Bash. You can add the files .bash_profile and/or .bashrc to /root to define your Bash environment further if desired.

Remote Access

With my pfSense box configured, it was time to move on and setup remote access to it. pfSense’s webGUI uses http and port 80 by default, and accessing it remotely is simply a matter of navigating to your WAN address. While convenient, this approach isn’t terribly secure, nor is it without potential connection problems as many ISPs block incoming port 80 traffic. To help improve upon both of these situations, you can use https instead of http and chose an alternate incoming port. You can find settings to configure both of these options by navigating to System -> General Setup . Note that pfSense will will use a self-signed x.509 certificate and RSA private key when using https for webGUI access. If you’d like to use an existing SSL certificate and key, you may enter those by navigating to System -> Advanced and pasting them into the appropriate fields under “webGUI SSL certificate/key.” You’ll also find a link in that in that section labled “Create certificates automatically,” which will walk you through the steps ncessary to generate a new self signed certificate. Also, be aware that if you decide to use an alternate port, you will need to create a new firewall rule under Firewall -> Rules that will allow a connection on the WAN interface to pass through to pfSense’s webGUI server (lighttpd) on the port you specify. At a minimum, this rule should define following parameters:

Action: Pass
Interface: WAN
Protocol: TCP
Destination: WAN address
Destination port range: your alternate webGUI port selection

pfSense’s SSH server may also be enabled to allow remote access to the console menu via an SSH client. To enable the SSH server, navigate to System -> Advanced and select “Enable Secure Shell.” For security reasons, I recommend using an incoming port other than 22, and a key-based login instead of a password. To use a key-based login, select “Disable Password login for Secure Shell (KEY only)” and then paste your public key into the “Authorized keys” field. Should you need help generating a public/private key pair, please see my post Remote Access to Your Ubuntu Server using PuTTY, Hamachi and SSH. Note that you will also need to create a new firewall rule under Firewall -> Rules that will allow a connection on the WAN interface to pass through to pfSense’s SSH server should you decide to use an alternate incoming port.

Conclusion

This concludes the post on how to install and configure pfSense on your home network. pfSense isn’t hard to configure nor complicated to manage, and proves to be a nice open source package for implementing a robust and scalable perimeter firewall and router.

References

Buechler, C.M. & Pingle, J. (2009). pfSense: The definitive guide. USA: Reed Media

http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

Occasionally, the need arises for files of a specific size. Transferring said files between hosts, for example, can provide a quick indication of your network throughput. One easy way to build a file of a specific size is with the Data Description or dd command. The dd command is one of the original Unix utilities, used to perform low-level copying of a specified input file to the specified output file (standard input to standard output is the default) according to operands, while optionally performing conversions on the raw data. You’ll often see it used to create an image of a entire disk or the disk’s Master Boot Record, or to make a disk from an image.

Let’s open a terminal in Linux and create a file named “test-file” that’s one kilobyte (decimal units) in size:

mkdir ~/testfiles && cd ~/testfiles
dd if=/dev/zero of=test-file bs=1KB count=1

You should see something that resembles the following output:

1+0 records in
1+0 records out
1000 bytes (1.0 kB) copied, .000145457 s, 6.9 MB/s

To create a larger file, say one megabyte or one gigabyte, replace the KB multiplicative suffix in the bs operand with MB or GB respectively:

dd if=/dev/zero of=test-file bs=1GB count=1

How about a file that’s 1.5 gigabytes? You can accomplish this by adjusting the bs multiplicative suffix and the number of blocks in the count operand:

dd if=/dev/zero of=test-file bs=1MB count=1500

To use binary units (multiplication by a power of 2) instead of decimal units, simply drop the “B” in the bs multiplicative suffix. Let’s recreate our test file using binary units (one megabyte = 1048576 bytes):

dd if=/dev/zero of=test-file bs=1M count=1
1+0 records in
1+0 records out
1048576 bytes (1.0 MB) copied, 0.002878 s, 364 MB/s

Note for users of FreeBSD (and possibly other Unix-like operating systems), the dd command supports binary units only. For example, attempting to use bs=1MB instead of bs=1M will result in an error.

There you have it. A nice simple way to create files of a specific size for network testing or whatever your needs might be. Leave comment if you have a favorite use for the dd command.

I’ve finally got around to implementing a mobile version of this site. Those of you that navigate here using your mobile device (Android, iPhone, etc.), will automatically be detected and served up the mobile version of the content, hopefully to find it a better experience. No worries though, there is a link to get back to the desktop version if the look and feel isn’t for you. I suspect I’ll be tweaking on this for some time so please report any issues you encounter. You can leave a comment on this post, catch me on IRC or send me an e-mail.

Earlier this year I purchased a Lenovo ThinkPad T410 laptop. Nice box. But shortly after purchasing it I began to notice that its ethernet adaptor would lose connection on a regular-yet-random basis regardless of the network I happened to be on. I dual-boot with this machine and I did not seem to be experiencing the same problem while running Ubuntu. So… I suspected the culprit might be my Windows 7 network driver. Sure enough, after trying several versions of Lenovo-supported drivers, the ultimate solution to this problem was to dump the Lenovo driver completely and download the driver for 82577LM ethernet controller directly from Intel. Problem solved.

Note that in addition to the installing the base driver for the ethernet controller, the package will also give you the option to install Intel PROSet for Windows Device Manager, Intel Advanced Networking Services, and SNMP for Intel network adapters for Windows 7. The first two are selected for you by default. If installed, Intel’s PROSet software provides a custom device manager property page for the adaptor which has some pretty nice features, including diagnostics. Contrary to its name, the Intel Advanced Networking Services feature does not install additional Windows services, rather it installs a couple of extra tabs in the aforementioned device manager property page allowing you to setup and manage teaming and V-LAN tagging on the adaptor. The SNMP for Intel network adapters feature is simply an SNMP agent enabling you to send event notifications via SNMP (requires that the Windows SNMP service be running).

I had the pleasure of trying SliTaz Linux recently, a small, lightweight distro available as a LiveCD/DVD or startup image. Given its minimal size, SliTaz is ideally designed to boot from a LiveCD/DVD or USB drive and then reside in system memory, allowing you to remove the boot media if desired. While extremely useful this way, I decided to try out a less ephemeral installation option. This post will describe my experience installing SliTaz on a hard drive. The software versions used in this post were as follows:

SliTaz GNU/Linux v3.0
GParted v0.5.2-9

Configuring the Hard Drive for SliTaz Installation

To begin, I download the SliTaz LiveCD Stable version ISO and burned it to a CD. Once it was up and running, I navigated to SliTaz’s built-in installation utility located at System Tools->Slitaz installer. This same utility can also be reached from the command line. The root password in either case is “root”.

su
slitaz-installer

SliTaz’s ncurses-based installer is nothing if not minimilistic. However, I found it quite usuable assuming you’ve had some prior experience installing linux distributions (See Figure 1). SliTaz’s documentation suggests a minimum of 120 MB of free space. However, shortly after I finished my installation I ran df -h and determined it had consumed 285.8 MB, so I would recommend a minimum of 300 MB of free space.

I found out quickly that the installer did lack one common feature though, a built-in partitioning tool. That meant that before I could proceed with installation, I needed a free partition ready to use, or needed to create one using Gparted (available on the SliTaz LiveCD), fdisk, or similar utility. I used Gparted to create a single primary partition (due to its deminimus size, SliTaz needs no Linux Swap partition). I verified which partitions SliTaz recognized as available by using the installer’s List menu option (See Figure 2).

After determining which partition to install SliTaz and manually entering it into the installer (in my case /dev/hdc1), I moved on to format this partition. The only file system option here is ext3, but you can skip this step if you’ve previously formatted the partition using Gparted or another parition creation utiity. The installer then offered the option of creating a separate /home directory, which I declined, and then moved on to configuring the host name, as well as root and non-root account names and passwords. I was then presented with the option of installing the GRUB bootloader (See Figure 3).

It appears the SliTaz installer only provides the option to install GRUB on the disk Master Boot Record. If I’d wanted to install GRUB on different partition, I would need to edit GRUB’s configuration file /boot/grub/menu.lst . Since SliTaz was the only operating system planned for this hard drive, I confirmed the GRUB location and the installer quickly installed SliTaz on my hard drive. After rebooting the system I was presented with the typical GRUB menu presenting SliTaz as the (only) operating system choice listed. However, trying to boot into SLiTaz from GRUB menu I was presented with an “Error 21″ as shown in Figure 4.

Looking closely at the error message it appears GRUB thought that the partition for SliTaz was located on the first partition of drive hd2 (hd2,0). Since this was the only hard disk installed on the system during the install, I suspect it should have been assigned to the first partition of hd0 or (hd0,0). To verify, I rebooted using the SliTaz LiveCD, mounted /dev/hdc1, and looked at the GRUB device map to see what GRUB named the drive (See Figure 5).

su
mkdir /mnt/tmp
mount /dev/hdc1 /mnt/tmp && cd /mnt/tmp
cat boot/grub/devices.map

It appears GRUB assigned (hd0) to the drive /dev/hdc. Then I looked at GRUB’s configuration file to determine which partition was configured for the SliTaz boot partition /dev/hdc1 (See Figure 6).

cd /mnt/tmp
cat boot/grub/menu.lst

As I suspected, the SliTaz installer assigned /dev/hdc1 to (hd2,0), a nonexistent drive and partition. To fix this I simply changed (hd2,0) to (hd0,0) and I was back in business.

What may have occurred was that my hard drive was attached as a master on the secondary EIDE slot on the motherboard. Even though it was the only hard drive attached to the system at the time of the install, the SliTaz installer erroneously assumed it was the third and designated it as /dev/hdc. This led to the problem later when the GRUB device map did not agree with the GRUB configuration file.

Conclusion

Despite the lack of some features in the SliTaz installer and the GRUB Error 21 problem, I found installing SliTaz Linux to be a fairly straightforward affair.

References

http://www.slitaz.org/en/doc/handbook/install.html
https://help.ubuntu.com/community/GrubHowto