The
latest version
|
How
to get NetBSD
Firewall |
Questions you should have
|
Is
it useful for me? |
How to install it
|
Getting
the hardware ready |
Full technical disclosure
Related technical resources
|
Sites
with information |
Let us know!
All the files listed below are available both for download and on the CD.
There's not much difference between a default NetBSD install, so if you want to reproduce our work, it's probably a good idea to start with a full set of sources from the NetBSD site.
From the NetBSD site, we took the base.tgz, kern.tgz, and etc.tgz installation packages, unpacked them, and deleted a number of files from them. We also modified a lot of text files in the /etc directory, mostly to disable services a firewall does not need, and in some cases, services you definately do not want on a firewall system. To see what we did, download our firewall.tgz, unpack it, and have a look.
We modified the sysinst tool to allow for an easier installation process, and to allow for the fact that the firewall system will have two ethernet cards. Of course, the fact that we already know the network address for the internal network helps. Also, we write a NAT setup file from sysinst, with the right ethernet information in it. The sources are here. For people who know a bit about the source code layout of NetBSD, what you get when you unpack is the set of files that differ from the standard source distibution, in the same layout as you would see them in the standard source code base; not just the sysinst tool, but the few modifications required to get a dhcp client onto the floppies as well, including the slightly modified kernel configuration for the boot floppy. If you just install all NetBSD sources, and install this package on top of it, you'll be set to build our install floppies, which we modified a bit as well.
Also, we built a modified kernel for use with the firewall, again with the purpose of disabling features that are unwanted on firewall systems. The configuration is here.
That's basically all you need to reproduce our work. Should you have any questions, don't hesitate to ask.
What you'll end up with is a Unix system with NAT (network addres translation) set up to translate the private address space on the internal network (192.168.1.x) to the one external address. IP Filters are employed to prevent some network abuse, source routing is disabled, and the internal ftp proxy makes ftp transparent. The kernel has all potential hazards disabled, is built without debuggers and has the security level set to 1. All network daemons are disabled in inetd.conf, syslog starts in secure mode (ignoring UDP packets) and no rpc is started (included portmon).
The previous version, 1.5.0, is of course still available:
- boot floppies
- or seperately from here and here.
- and the firewall package.
The source for the previous version, 1.5.0, is of course still available:
