Linux Source Distribution for Firewalls? 83
Peter Miller asks: "I want to build a new firewall. I want fine control over the exact contents of the disk. So I went looking at Linux source distributions. Every one I looked at (Gentoo, Lunar, etc) put the development environment on the final disk image. I don't think this is good for a firewall. Even Linux From Scratch does this, it isn't automated, and the nALFS UI is incomprehensible. I'd rather not have the package database in the final image, either. Micro-distros like FloppyFW doesn't publish their root image build script, and that's the route I'd like to follow. What do you security zealots out there use to build your firewalls from scratch?"
Development environment is important. (Score:1)
The point is that there is a bigger probability that you'll need to patch the firewall from time to time - than the probability of a cracker breaking into it and abusing the tools.
Also, it's _very_ conventient to have the development tools ready when you need that little tool on the firewall Right Now, and don't want to fiddle with using the identical box WITH development tools to build it, the
Re:Development environment is important. (Score:1)
I fail to see exactly how this is prevented by not having development tools installed. If there is a writeable area on the server (and there probably are), it's as simple as statically compiling the kit before pushing it.
Not to mention that the cracker would have no problems shoveling in a working
For a floppy distro?? (Score:2)
Re:Development environment is important. (Score:2)
I disagree.
The first assumption I make is that every firewall I install WILL get rooted eventually.
So - the trick is to make it as painful as possible for an attacker to do anything once the box is compromised, in the hope that I find out about the breach before the attacker can do much damage.. and if I don't notice quick eno
Do Linux From Scratch. (Score:2)
Once the firewall is configured the way you want it, and everything you need is compiled and installed, delete the compiler and whatever else you *don't* need.
Simple, easy.
Re:Do Linux From Scratch. (Score:2)
Once the firewall is configured the way you want it, and everything you need is compiled and installed, delete the compiler and whatever else you *don't* need.
I did this the other day on a gentoo box, then I realized, deleteing GCC on a source only distro, and no RPM was a BIG mistake.
BTW, floppyFW rules(and supports VPN) plus
Re:Do Linux From Scratch. (Score:2)
The idea is that you don't delete it until you're done with it. On a firewall box, you don't need to compile much.
Re:Do Linux From Scratch. (Score:1)
I understand the idea that you don't want dev tools on an externally accessable machine. But, at the same time, you either need some kind of binary package management, or you need to have the ability to do a "make world" on another box and copy over the binaries.
Re:Do Linux From Scratch. (Score:2)
It depends, but usually... (Score:3, Interesting)
Not linux [openbsd.org]
Re:It depends, but usually... (Score:1)
I second the motion!
Re:It depends, but usually... (Score:2)
Absolutely. Why demand Linux, when there is already another free best-of-breed option out there? Setting OpenBSD up as a firewall is a piece of cake (IIRC, three or four intuitive config files all in
Re:It depends, but usually... (Score:2)
I mean really people if you are going to flame flame on the message not the sig. Lets get back to on topic flames.
Re:It depends, but usually... (Score:2)
I have heard that the standard Firewall in BSD is better than the Standard Firewall linux.
I do belive that there are some Routher distros that run right from a CD-ROM. Getting ride of the HARD drive seems like a good plan when it comes to thingks like a firewall.
We use
Re:It depends, but usually... (Score:1)
Re:It depends, but usually... (Score:2)
Build it "by hand" from your prefered distribution (Score:2)
Compile your own kernel, and make the ram disk by copying libraries from your system as much as possible; this will make it easy to maintain. If you are willing to go the route of a bootable CD, you have a lot more room, and don't have to recompile every single thing just to get it smaller.
You can look at some of the stuff I did here: http://rgr.freeshell.org/flinux/ Feel free to send me email if you have questions.
BTW, there is no reason not to have the de
Re:Build it "by hand" from your prefered distribut (Score:1)
I can see a couple of reasons.
If someone compromises a normal user account on your firewall, the next thing they will want to do is get root access. They might do this by compromising a daemon running as root.
Your desktop machine will likely have more potential targets than your firewall.
Seperating the two means an attacker
Removable hard drive (Score:2)
At a flea market, I purchased a hard drive hot-swap cradle. This is not to hot-swap, but to make a drive easily removable. I've also purchased an extra hard drive.
The base OS install will be on the removable hard drive. I plan to copy what's needed from the OS install over to the fixed hard drive, making a second, stripped install.
To run as a firewall, remove the extra hard drive.
To build/install/upgrade, reboot with the extra hard drive plugged in, and
Re:Removable hard drive (Score:2)
If you do this and get it working, send me an email because I'd be interested to hear how it worked out. Perhaps when your development drive is stable, you might just put it on a cdr
Re:Removable hard drive (Score:1)
DEBIAN (Score:3, Informative)
Seriously.
It can build a TIGHT little install, on the base system. I can purge packages like Perl when it's done building - could even script dpkg/apt if I had to do this often.
You wanted a source distro? you can do this with apt-source. Seems more painful than need be - with signed binaries available. I have been using the Adamantix packages (used to be Trusted Debian) and Bastille by Jay Beale and crew. I am pulling binary packages from my own apt-repository, so the firewall itself doesn't pull from the Internet, but only a dedicated admin segment.
Re:DEBIAN (Score:2)
I'd be in Groovopolis!
APT-FU (Score:2)
From the Project Page:
Introduction to APT-Fu
Why?
Why not? And because I can. It'll eventually make my life easier with optFiles/patches which allow me to upgrade packages while keeping most/all of any customizations I make to the original source package intact. I appreciate the work Debian maintainers do, but sometimes I would like to add my own flavor to things.
Why Debian? Why not just use another source-based distribution?
Debian has thousands of softw
keep a development machine on hand (Score:1, Informative)
(Free||Open)BSD and a mod of the Soekris scripts (Score:4, Interesting)
Three points:
they come with scripts and docs
they produce bare (no dev tools) images to use on compact flash cards
The dev machine is separate
I use a modified version of an OpenBSD on an old watchguard box.
See Soekris on OpenBSD [google.com] and Soekris on FreeBSD [google.com]
Try LEAF (Score:2)
http://leaf.sourceforge.net
It is the successor of the LRP project.
Kirby
Re:Try LEAF (Score:1)
I roll my own "distro" (Score:2)
I have to manage a lot of similarly configured boxes. I use my favorite distro as a starting point then, trim off any fat/bloat, etc. Add specialized tools, which usually involved modifying some SPEC files for RPMS. to build a new RPM.
Once I get all the RPMs installed and build I remove the development RPMS, and other development tools.
I then run MONDO ARCHIVE http://www.microwerks.net/~hugo/ [microwerks.net]
and build a bootable rescue disk.
Make a booter box solution (Score:1)
Create your own source distro (Score:2)
But be warned: it's a lot of work !
A good start is obviously Linux From Scratch, but you might check Linux From Scratch Via RPM [puxedo.org]. Having some packaging manager like RPM helps a lot.
But you have to write the build scripts on your own. I have created and am managing our in-house Linux distribution, and I had to write the build system that compiles the packages from spec files, sources and patches, keeps the build system clean, recognizes when spec files changed in order to recompile them, write a tool to com
floppyfw (Score:1)
Why bother? (Score:2)
This is the same as not having a text editor, so that an intruder cann
Re:Why bother? (Score:2)
It will allow an attacker to build their own software, which is guaranteed to work on the box they've rooted. (I know this is obvious, but it needs stating clearly because it's more important than you realize.)
If they have precompiled binaries that won't run on your system (because you've deliberately chosen a system that's not common), they'll be forced to build their own - it won't stop them, but it will slow them down, or encourage them
This Shouldn't Be Hard (Score:2)
Depending on your tastes, give Slackware a look. The install is fast and simple, and its avoidance of rpm/apt mean you can install code from source without worrying about screwing the packaging database.
Smoothwall (Score:2)
If you want the fancy features, then get the commercial version and enjoy the support.
why waste your own time re-inventing the wheel when it's already been done.
Re:Smoothwall (Score:2)
Smoothwall comes with its own rootkit (Score:2)
Plus their fearless leader seems to be something of a belligerent (and possibly unstable) jackass (google it and see yourself). While I, too, have something of this trait, I'm not here asking people to trust their network security to me.
ipcop is based on the early work on smoothwall. It's just as easy to install and configure and use, it's completely open so
ClarkConnect (Score:1)
I use it for FTP, WEB, SMB, AppleTalk and print server as well. Heck, they even give you a free dynamic DNS address.
They also have a commercial version that supports IPSEC and PPTP, although you can install that stuff yourself.
Check it out here [clarkconnect.org] for the hobbyist version, or here [clarkconnect.com] for the commerical version. Enjoy!
-Fordboy0
IPCOP (Score:1)
Gibraltar Firewall (Score:1)
What's the problem? (Score:1)
You can also do this with the BSDs by changing the target directory for make install to be a new filesystem you're creating to image elsewhere.
Um (Score:1)
coyote linux? (Score:4, Insightful)
The scripts are open to modification as much or as little as you like. IIRC, the end of the script is building/compiling the packages you've requested.
If you're that paranoid (Score:2)
If you're slightly more relaxed, Slackware is great - or any other no frills distribution would do like, Tawnie - very small and tight, just like Tawnee Stone (hehehehehe, sorry 'bout that, the new name for the distribution is nice, but sounds to much like Tawnee).
If you're relaxed and calm, any distribution is fine.
buildroot busybox uclibc (Score:2)
My firewalls are all diskless boot machines (they pull their image from a server that's on a private network), so size *does* matter to me. Having the full development environment simply is not an option.
As others have pointed out, having gcc on your firewall isn't going to provide you with a great deal of security. Just another (and a tiny one, at that) hoop to jump through. If they can root your box, then
Re:buildroot busybox uclibc (Score:2)
If you want to build your own using a prepackaged set of tools, I strongly suggest using buildroot [uclibc.org].
My firewalls are all diskless boot machines (they pull their image from a server that's on a private network), so size *does* matter to me. Having the full development environment simply is not an option.
As others have pointed out, having gcc on your firewall isn't going to provide you with a great deal of securit
gentoo... (Score:2)
How small ? (Score:2)
try emKnoppix (Score:1)
emKnoppix was concived exactly for this purpose. One disadvantage of source distributions is that if their are bugs in say ssh, you are forced to apply patches and update. But if you follow a good distro like debian, the patches are all there, well tested. So emknoppix uses debian as the main distro and builds a compressed disk image which you can boot using a kernel, just like knoppix.
Even though name is emknoppox this is not a run from CD distro, the /etc is stored in hard disl (or flash or disk on
Security -- OpenBSD (Score:1)
Re:Security -- OpenBSD (Score:1)
I broke my rule of "dont do anything before you have some coffee". Apparently I have to apply that to my days off too=)
Re:Security -- OpenBSD (Score:2)
The site is most certainly not up to date with OpenBSD! And even the advisoraries listed are not complete for their time period. This is not a good sign of a site supposedly devoted to security.
build your own linux floppy.... (Score:2)
Rather than relying on some distro to do it for you. Biggest problem I had was getting a usable floppy image and using ext2 fs.
Most of those root floppy distros use minix fs so if you want to see what is on them you need to mount a minix fs. I think there is a little more to it than that but not much. Basically what they do is create a kernel image and then use dd to put it on a floppy. Then they create the filesystem image and use dd with an offset to tell it where to
Skip Linux altogether (Score:2)
Use one of the floppy-/CD-ROM-based BSD systems: ClosedBSD, MicroBSD, PicoBSD, emBSD.
Or, build your own using FreeBSD, OpenBSD, or NetBSD.
Once you start using a BSD-based firewall system, you'll never want to use Linux again. Plus, you won't have to worry about your packet filter changing completely in the next release.
Re:Skip Linux altogether (Score:1)
Indeed, the syntax of iptables rules leaves alot to be desired, to put it mildly. I much prefer PF over iptables, and easy syntax is one of the reasons for that preference. And I've been informed that iptables are not stateful without a kernel patch.
Re:Skip Linux altogether (Score:1)
You have been misinformed. Check www.netfilter.org and see that it is stateful out of the box.
Re:Skip Linux altogether (Score:1)
http://www.netfilter.org/documentation/pomlist/pom -extra.html#tcp-window-tracking
For a firewall give openBSD a try (Score:1)
Firewalls (Score:2)
None of my firewalls first of all have any hard disks in them or floppy drives.
Only CD-ROM drives or no drives at all.
This is to insure that should a fault occur, the attacker is totally king of a read only file system.
Which effectively makes my compromised firewall a kingdom of....nothing.
Not only that, I just flip the power button.
I have a small ram disk, enough to run the ipchains command from a small bash prompt so I can
Re:Firewalls (Score:1)
You're not wrong, but I haven't seen anyone mention this yet:
A lot of SCSI drives have a jumper to set them "read-only". This can't be circumvented in software, and you still get the speed benefits of using a disk! This article has given me the push to get the firewall out of my desktop which is dual-booting
Re:Firewalls (Score:2)
CD-ROMS, coupled with a small Ram Disk, don't have that problem.
You can also usually enable read only in the BIOS of the DISK as well.
There are all sorts of ways to secure the console.
-Hack
Re:Firewalls (Score:1)
I reckon they're cheap. Damn cheap in fact. And some ugly BIOS's won't boot if you're keyboard is not present, fair enough if the disk has failed.
>CD-ROMS, coupled with a small Ram Disk, don't have that problem.
Don't they? I've had CD-ROMS fail, and plenty more than hard disks. I also have CD-ROM's that "work" but can't read CD-R's. CD-ROM is my last choice for media to boot from or s
Source build for floppyfw (Score:1)
Floppyfw development directory [zelow.no]
It's the "devkit" and I must admit it's not perfect yet but people use it and I will provide a better and full development system for building your floppyfw from scratch (the devkit has this already but it is not perfect yet). It will also have build scripts for ISO/CD and CF.
So, it's possible to build floppyfw from scratch.
Resources (Score:2)
lwn.net/Distributions/ [lwn.net]
Specifically, lwn.net/Distributions/index.php3#secure [lwn.net] and possibly also the special purpose distros (mini, floppy, cd, whatever).
Engarde [engardelinux.org], Immunix [immunix.org], and Openwall [openwall.com] are all designed to be secure platforms for server or firewall development.
If you want something small, you might look at LEAF [sourceforge.net] or Coyote or Wolverine [coyotelinux.com]. Coyote is free, Wolverine is $30-$120 depending on which license you need.
Personally, I'm using Astaro [astaro.com] (free for personal use). It seems to be