Slashdot Mirror
Linux Source Distribution for Firewalls?
Peter Miller asks: "I want to build a new firewall. I want fine control over the exact contents of the disk. So I went looking at Linux source distributions. Every one I looked at (Gentoo, Lunar, etc) put the development environment on the final disk image. I don't think this is good for a firewall. Even Linux From Scratch does this, it isn't automated, and the nALFS UI is incomprehensible. I'd rather not have the package database in the final image, either. Micro-distros like FloppyFW doesn't publish their root image build script, and that's the route I'd like to follow. What do you security zealots out there use to build your firewalls from scratch?"
Okay, not that important, but you either need two boxes, one with and one without development tools, or one with.
The point is that there is a bigger probability that you'll need to patch the firewall from time to time - than the probability of a cracker breaking into it and abusing the tools.
Also, it's _very_ conventient to have the development tools ready when you need that little tool on the firewall Right Now, and don't want to fiddle with using the identical box WITH development tools to build it, then transfer the new libraries and programs to the firewall box.
"Rune Kristian Viken" - http://www.nwo.no - arca
...should have been killed at birth.
Fuck Penguins, by the way.
Do a base linux from scratch system, then install what you need on top of that (netfilter and maybe a DHCP client is pretty much the only stuff you need on top of an LFS system).
Once the firewall is configured the way you want it, and everything you need is compiled and installed, delete the compiler and whatever else you *don't* need.
Simple, easy.
Not linux
--
"we live in a post-ideological world..." - Billy Bragg.
Build it on whatever you use for your desktop.
Compile your own kernel, and make the ram disk by copying libraries from your system as much as possible; this will make it easy to maintain. If you are willing to go the route of a bootable CD, you have a lot more room, and don't have to recompile every single thing just to get it smaller.
You can look at some of the stuff I did here: http://rgr.freeshell.org/flinux/ Feel free to send me email if you have questions.
BTW, there is no reason not to have the developement environment on the system. In fact, I don't see a reason not to make your main desktop system the same as the firewall machine.
Seriously.
It can build a TIGHT little install, on the base system. I can purge packages like Perl when it's done building - could even script dpkg/apt if I had to do this often.
You wanted a source distro? you can do this with apt-source. Seems more painful than need be - with signed binaries available. I have been using the Adamantix packages (used to be Trusted Debian) and Bastille by Jay Beale and crew. I am pulling binary packages from my own apt-repository, so the firewall itself doesn't pull from the Internet, but only a dedicated admin segment.
"Flyin' in just a sweet place,
Never been known to fail..."
I have a Soekris net4501 box as a firewall. It runs FreeBSD 4.x and has a 1GB microdrive as it's primary storage, which is mounted "noatime" and with no local logging, so the microdrive rarely spins up. (I plan on changing it to log to a ramdisk and flush it to the microdrive once a day since sometimes I miss log entries, but that's another project). I actually only need about 64MB but I had the microdrive handy. In fact you can strip it down to 4-5MB if you are insane (see the excellent m0n0wall project).
/etc files into /my/special/destdir/MERGE-ETC/
/etc is also left untouched.
/MERGE-ETC with /etc to pick up any new /etc changes. Then I delete mergemaster and /MERGE-ETC.
/etc/rc.conf (I run in securelevel 3, can't clear immutable flags and can't change firewall rules). then reboot for brand-spanking new install.
I build the entire thing on another FreeBSD machine (actually, a FreeBSD virtual machine running on VMWare on Red Hat, but that's not important) using a separate make.conf. I.e., I run something like this on the BSD source code:
make __MAKE_CONF=/my/special/make.conf DESTDIR=/my/special/destdir buildworld
Next I install the FreeBSD distribution
Next I reboot the Soekris box at securelevel -1 (which lets me clear the immutable flags), then I clear the immutable flags on all the executables and kernel so they can be replaced.
Then I rsync the whole mess from my development box over to the Soekris box, but *excluding* any development tools, indeed, excluding all non-essential stuff.
Then I run mergemaster on the soekris box, merging
Finally, I re-set the immutable flags on the kernel and important binaries, uncomment the securelevel stuff in
It sounds complicated but I have it automated with a handful of scripts: run #1 on the VMWare box, run #2 on the soekris, run #3 on the vmware to clean up and remove the build files, done.
The same procedure should also be possible with Gentoo Linux, which I'm going to try on my new net4801 Soekris box. That will be less necessary since the net4801 supports an IDE hard drive and could theoretically be self-hosting if I'm patient, but I want to try my FreeBSD technique with Gentoo Linux.
Other possibilities include NFS-mounting your firewall contents to your development box and chrooting into it, or netbooting the firewall somehow . What I love about these Free Software products is the amazing FLEXIBILITY!!
Three points:
they come with scripts and docs
they produce bare (no dev tools) images to use on compact flash cards
The dev machine is separate
I use a modified version of an OpenBSD on an old watchguard box.
See Soekris on OpenBSD and Soekris on FreeBSD
Oh really?
http://leaf.sourceforge.net
It is the successor of the LRP project.
Kirby
If they can install a rootkit, they can install GCC. Or do you live on some magical planet where the bad guys are smart enough to root your server but too stupid to bring along the tools they need?
The poster you replied to may have learned from the back of a Wheaties box, but at least he learned, which appears to be more than you've bothered with.
Not really, but I do make a standard installation CD of my prefered distro.
I have to manage a lot of similarly configured boxes. I use my favorite distro as a starting point then, trim off any fat/bloat, etc. Add specialized tools, which usually involved modifying some SPEC files for RPMS. to build a new RPM.
Once I get all the RPMs installed and build I remove the development RPMS, and other development tools.
I then run MONDO ARCHIVE http://www.microwerks.net/~hugo/
and build a bootable rescue disk. I then use that disk to quickly deploy preconfigured boxes. Seems like this would work for your firewall needs.
My distro of choice is Redhat, so you'll probably not use that for firewall, but the nice thing is anaconda does recongise a good amount of hardware, so that upon boot it will autoconfigure most hardware if you install the image onto a different machine.
This basically allows me to get a new webserver, with all my custom applications, and configurations from bare metal to running in about 20 minutes. So while it may not be exactly what you are looking for, it may be work for you.
-MS2k
I used to work for a company that rolled their own booter box systems (i think there are some official ones now) about 5-6 years ago. It was a really sweet setup, cause all they had was 2 (primary/backup)booter boxes for almost everything however some were specialized booter boxes too and most of the servers (over 100) were diskless machines which network booted everytime off of these booter boxes. I know it seems elaborate, but it was also really awesome because you have centralized deployment so you need to patch you dns servers just patch the files on the booter box and then your done. This was done using redhat with EtherBoot(or was it EtherDisk) The cool part was you only put hard drives in machines that need to store information (we had several logger machines sniffing network and recording events) While this was a sweet elaborate setup i imagine you could setup a linux firewall with minimal programs and a lightweight kernel all without messing around with deleting files etc... Ofcourse it does take some time to get this whole infrastructure going, but then lets say you wanted two firewalls, just grab another box and set it up to use the firewall image, your good to go.
One warning is it power goes out unexpectedly, make sure if you stuff autoboots that you have proper delays setup for booter boxes etc.. cause we found this out the hard way, when power when out nothing was working, found out that all servers came on the same time so the name servers, email servers, everything came on and it was chaos, plan out your infrastructure if this is used in a "mission critical" environment like where i used to work.
But be warned: it's a lot of work !
A good start is obviously Linux From Scratch, but you might check Linux From Scratch Via RPM. Having some packaging manager like RPM helps a lot.
But you have to write the build scripts on your own. I have created and am managing our in-house Linux distribution, and I had to write the build system that compiles the packages from spec files, sources and patches, keeps the build system clean, recognizes when spec files changed in order to recompile them, write a tool to compare version number in order to automate checking when new packages are released (and to check whether a package need recompilation) and install the packages into disk images (which could be what you'd like to have). I also implemented some other stuff like controlling everything with a database and stuff, but you won't need that :-)
Getting all necessary packages to compile correctly can sometimes be a real pain. While the GNU packages are trivial, some packages need that you write patches in order to make them compile (most of the time you need to patch the Makefiles so that they compile with the paths that you like and install correctly; sometimes make install DESTDIR=%{buildroot} won't work since the Makefile doesn't support the DESTDIR variable so you have to add that, for example).
But having your own distribution is really cool: you learn a lot about Linux. And while everyone can install and use a normal distribution few have their own, so this is something one can be proud of, I think ;-)
when my company was connected to inet through microwave we use floppyfw http://www.zelow.no/floppyfw/ booted from floppy. the firewall was old amd 486 machine (or it was i386?) with 8mb ram and two net cards. we never had any security problem, floppyfw works perfect and was very reliable.
Any sufficiently advanced technology is indistinguishable from magic. (Arthur C. Clarke)
This is the same as not having a text editor, so that an intruder cannot change config files. It doesn't work. When they could use an editor or compiler on your firewall, you've already lost.
Programming can be fun again. Film at 11.
BTW, there is no reason not to have the developement environment on the system. In fact, I don't see a reason not to make your main desktop system the same as the firewall machine.
:) But still, I can see why there would be some advantage in seperating them, and I would if I had the spare hardware.)
I can see a couple of reasons.
If someone compromises a normal user account on your firewall, the next thing they will want to do is get root access. They might do this by compromising a daemon running as root.
Your desktop machine will likely have more potential targets than your firewall.
Seperating the two means an attacker has to break both your firewall and your desktop machine. Admittedly seperating the two doesn't buy you a lot, as the desktop machine will probably be less secure than the firewall, but it does add a small amount of security, so it's not fair to say there is "no" reason.
It means that some script kiddie who compromises your firewall through luck rather than skill, doesn't have instant access to all the important data you keep on your desktop machine. Assuming the leet tool they used to compromise your firewall attacks a service that isn't running on your desktop, they could well be stumped.
Also, your firewall is probably going to be a whole lot more stable than your desktop. If, for example there's someone else in your house using another machine, you'll save them some inconvenience when your desktop box goes down.
Also, you might be dual booting OSs on your desktop machine. If it's also your firewall, you'll need to configure and keep secure multiple setups rather than one.
Also, a denial of service attack against your firewall won't stop you using your desktop machine.
These may not be compelling reasons to seperate your desktop and firewall, but they are still reasons.
(I have to admit, my firewall and desktop machine are one and the same.
In the past, having development tools on a hardend system was considered a security risk, but that has changed today. In the past, compilers were proprietary and hardware was expensive, so binaries (trojans, malware, other tools) could not be prebuilt and uploaded by just anyone. They needed a access to a compiler on the compromised system to build programs. Today gcc can cross compile binaries for almost any architecture and everyone has access to a unix box. I don't believe a developement env gives an attacker any real advantage today. What ever is not on a system, an attacker can upload.
Won't comment on the merits or lack thereof of putting development tools on a firewall machine, but I'm not sure I understand why you're having trouble installing your choice of software. Every package-based distribution I've used provides an option to select and install only individual packages.
Depending on your tastes, give Slackware a look. The install is fast and simple, and its avoidance of rpm/apt mean you can install code from source without worrying about screwing the packaging database.
-- Slashdot: When Public Access TV Says "No"
If you want the fancy features, then get the commercial version and enjoy the support.
why waste your own time re-inventing the wheel when it's already been done.
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I use it for FTP, WEB, SMB, AppleTalk and print server as well. Heck, they even give you a free dynamic DNS address.
They also have a commercial version that supports IPSEC and PPTP, although you can install that stuff yourself.
Check it out here for the hobbyist version, or here for the commerical version. Enjoy!
-Fordboy0
Ligaguinggligagiggagoogoogwillgo
Try IP-Cop, This is a GPLed fork of Smoothwall, fully featured, extremely small footprint. If you install the RPM version, then you can add libs and programs onto the install. Checking out the Forums shows quite a number of addons, mods etc. that can be installed to give more flexability (edonkey/MTA/ftp servers/samba/squid/proxies/filters/additional ID) etc.)
Take a look at Gibraltar. It's a version of Debian designed for firewalls; it runs completely off of CD, so hackers have no hard drive to play with..
You can also do this with the BSDs by changing the target directory for make install to be a new filesystem you're creating to image elsewhere.
Note: This is a plan, purchases made, lacking time.
At a flea market, I purchased a hard drive hot-swap cradle. This is not to hot-swap, but to make a drive easily removable. I've also purchased an extra hard drive.
The base OS install will be on the removable hard drive. I plan to copy what's needed from the OS install over to the fixed hard drive, making a second, stripped install.
To run as a firewall, remove the extra hard drive.
To build/install/upgrade, reboot with the extra hard drive plugged in, and rebuild the stripped installation.
A few minor details (grub/lilo, etc) but nothing major.
I'm also thinking about small tricks like RO-root and possibly putting the RO parts of the stripped install into an ISO9660 partition on the fixed hard drive. Nothing's foolproof, but the more obstacles you can throw in their way...
The living have better things to do than to continue hating the dead.
Recovering from a break-in can be very annoying, but in the case where your firewall box is running an OS that fits on a floppy, I wouldn't assume the lack of a compiler means no one has placed a back door on the machine. Especially when recovering means shutting the machine down, popping out the floppy, popping in a fresh copy of the backup you'd made, and rebooting.
LFS does NOT put the compiler on the final image unless you want it there. I make CF-booting LFS firewalls and can fit the kenrel, iptables, iproute2, IPSec with NAT-T and X.509 support, PERL (yes PERL) and other goodies on a 16M CF disk.
Maybe I'm missing something, but isn't coyote linux a somewhat obvious choice for this?
The scripts are open to modification as much or as little as you like. IIRC, the end of the script is building/compiling the packages you've requested.
There is very little future in being right when your boss is wrong.
Go with OpenBSD.
If you're slightly more relaxed, Slackware is great - or any other no frills distribution would do like, Tawnie - very small and tight, just like Tawnee Stone (hehehehehe, sorry 'bout that, the new name for the distribution is nice, but sounds to much like Tawnee).
If you're relaxed and calm, any distribution is fine.
Ash nazg durbatuluk, ash nazg gimbatul Ash nazg thrakatuluk agh burzum-ishi krimpatul
If you want to build your own using a prepackaged set of tools, I strongly suggest using buildroot.
My firewalls are all diskless boot machines (they pull their image from a server that's on a private network), so size *does* matter to me. Having the full development environment simply is not an option.
As others have pointed out, having gcc on your firewall isn't going to provide you with a great deal of security. Just another (and a tiny one, at that) hoop to jump through. If they can root your box, then they can upload a compiler (or, more likely, a precompiled binary).
I use buildroot to compile my system. I have to tweak the make scripts, but I can get openssh/iptables and a bootable system compiled in a gshield which generates a script that I can edit to use as my firewall.rc. (I don't actually use ghield as the firewall, just capture the commands that it would have executed to create the ruleset at runtime)
Best of luck.
i run gentoo as my firewall, i build the entire firewall system in a folder on my main system chrooted in the "build" folder. I build my entire system(firewall, fileserver celeron500x2 on bp6, 256mb ram.) without X or anything fancy. Just the necesities. The I copy the /firewallinstall folder to another harddrive's, install grub to the mbr of the new drive. I also EXCLUDE copying any of the portage stuff, delete the portage and gcc related contents in /var and emerge unmerge gcc before the copy to get the file system size very small.
this works great for me.
emKnoppix was concived exactly for this purpose. One disadvantage of source distributions is that if their are bugs in say ssh, you are forced to apply patches and update. But if you follow a good distro like debian, the patches are all there, well tested. So emknoppix uses debian as the main distro and builds a compressed disk image which you can boot using a kernel, just like knoppix.
Even though name is emknoppox this is not a run from CD distro, the
The url is http://emknoppix.sarovar.org and I am the author :-)
raj
Sarovar.org Hosting for open source projects in Indi
As much as I love linux I would have to say if security is concern #1, then use openBSD. It's pretty scary looking at all the stuff at linuxsecurity.org that is listed for all the distros. In fact if you go to http://www.linuxsecurity.com/advisories/ you can see they keep track of free/net/open BSD vulnerabilities too. The most recent openBSD advisory is dated 8/12/2002, where mandrakes most recent is well... today.
Chaos is Divine *
What's the size of the resulting system ?
Rather than relying on some distro to do it for you. Biggest problem I had was getting a usable floppy image and using ext2 fs.
Most of those root floppy distros use minix fs so if you want to see what is on them you need to mount a minix fs. I think there is a little more to it than that but not much. Basically what they do is create a kernel image and then use dd to put it on a floppy. Then they create the filesystem image and use dd with an offset to tell it where to start on the floppy. Then they use dd again to create the floppy iamge back on the drive. It is really not that hard to do, just a lot of steps.
Problem is that it is limited as just a firewall / router. Not much you can really get on a floppy. I went the CD image route myself and used FreeBSD. After using ipfw(v1&v2), ipf, ipchains, and iptables I like ipfw2. It is real easy to understand what is going on and it is stateful. Also my cd image is now down to 61 Meg and includes bind9, apache2, snort, ipfw2, perl, and ipsec and routes traffic through 3 interfaces (2 wired / 1 wireless). It runs on an old Dual Pentium 233Mhz MMX with 128Meg RAM and I don't have to worry alot about a hacker getting control cause they cannot overwrite the binaries on a cdrom ;-) and nothing is open on the outside. It is also nice cause all the clients can use the same DNS number and I don't have to keep up with what my ISP is doing as far as dns. Also a CDROM gives you more flexability than a floppy. Its worth looking into. I'd rather not place the URL of my documentation here, as I don't want to risk being slashdotted to death.
Only 'flamers' flame!
Does slashdot hate my posts?
Linux packet filtering is just plain crap when compared to the others out there: IPFW, IPFW2, IPFilter, PF.
:)
Use one of the floppy-/CD-ROM-based BSD systems: ClosedBSD, MicroBSD, PicoBSD, emBSD.
Or, build your own using FreeBSD, OpenBSD, or NetBSD.
Once you start using a BSD-based firewall system, you'll never want to use Linux again. Plus, you won't have to worry about your packet filter changing completely in the next release.
This is a nice way to turn any computer into a temporary (diskless?) drop in replacement firewall/router
Nice features:
Very easy to configure port forwarding rule configuration (from the windows gui)
Easy configuration of hardware (to keep it small enough to fit on disk)
Stable
You're just mad because the voices in your head talk to me.
Try openBSD, it works very well, it's very secure out of the box, and the Packet filtering is very powerful. I've read in numerous places, even here on slashdot, that it's superior to linux's ipchain/ipfilter.
I build my firewalls with either CD-ROM drives or read only NFS mount points.
None of my firewalls first of all have any hard disks in them or floppy drives.
Only CD-ROM drives or no drives at all.
This is to insure that should a fault occur, the attacker is totally king of a read only file system.
Which effectively makes my compromised firewall a kingdom of....nothing.
Not only that, I just flip the power button.
I have a small ram disk, enough to run the ipchains command from a small bash prompt so I can make modifications to the firewall shuold I need to.
But they all disapear as soon as I hit the reset button. This is a good thing, or bad thing, depending on how you like to do things.
I store the entire image iso in a SQL based file system, so I have many types of firewalls, each with annotated sql table fields describing what they do, with documentation.
That way, I can just do a simple:
select description, iso from firewalls where description='H323' AND description='NAT';
In essence I ask the database to cough up a ISO should one already exists that handles NAT and video conferencing.
If nothing is returned, I build one, write a description, and put it in the database.
I do this with everything, even my infrastructure.
I do not believe in writing reports, or looking at pretty graphics, so I use SQL commands to ASK my infrastructure questions...
In my infrastructure database, I have over 1000 SNMP data point histories on server status, etc.
It would be really simple to write a front end for my stuff, which is what I have been doing.
I could have used something off the shelf, but most of the O.S. projects rely too much on the fact you have to HAVE TIME to read reports, and look at the pretty pictures.
That is worthless too me, I need a SQL command line and a database that is structured so I can ask it questions interactively, or through scripts (i.e. Java servlets).
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Plus their fearless leader seems to be something of a belligerent (and possibly unstable) jackass (google it and see yourself). While I, too, have something of this trait, I'm not here asking people to trust their network security to me.
ipcop is based on the early work on smoothwall. It's just as easy to install and configure and use, it's completely open source (meaning you can get at those install scripts you wanted) and it appears, based on my limited dialup experience, to be much more secure than smoothwall.
You can get build scripts for floppyfw:
Floppyfw development directory
It's the "devkit" and I must admit it's not perfect yet but people use it and I will provide a better and full development system for building your floppyfw from scratch (the devkit has this already but it is not perfect yet). It will also have build scripts for ISO/CD and CF.
So, it's possible to build floppyfw from scratch.
-- Life is a beach, surf
lwn.net/Distributions/
Specifically, lwn.net/Distributions/index.php3#secure and possibly also the special purpose distros (mini, floppy, cd, whatever).
Engarde, Immunix, and Openwall are all designed to be secure platforms for server or firewall development.
If you want something small, you might look at LEAF or Coyote or Wolverine. Coyote is free, Wolverine is $30-$120 depending on which license you need.
Personally, I'm using Astaro (free for personal use). It seems to be well designed from a security perspective (everything is chrooted, etc.), but it is not easy to customize the web interface, etc. A 'pluspack' is downloadable which includes gcc, etc, or you can compile on RedHat if you have the right versions of all the libraries.
Nothing to see here; Move along.
From the Project Page:
Introduction to APT-Fu
Why?
Why not? And because I can. It'll eventually make my life easier with optFiles/patches which allow me to upgrade packages while keeping most/all of any customizations I make to the original source package intact. I appreciate the work Debian maintainers do, but sometimes I would like to add my own flavor to things.
Why Debian? Why not just use another source-based distribution?
Debian has thousands of software packages, more than any other distribution I know of. I can always fall back to using a binary package if I'm not in the mood a particular day to wait for the source to compile, especially if I only plan on using it occasionally.
Debian also distributes source code in an easy-to-download format with APT, just like every other source-based distribution. Not only that, Debian has been doing this long before source-based Linux distributions became well-known.
Debian has the resources, infrastructure and quality that many of the smaller, newer, source distributions don't have. It has long-ago achieved critical mass. It has already been around for 10 years, and I can be reasonably certain it will be around for many more years. It is in no danger of being abandoned due to lack of interest, time, or funding; common problems with smaller projects. I don't have to worry about a mirror being down with Debian because there's always another one to pick and choose from.
Often, I hear of a new package and just want to quickly try it out. I'm far less likely to want to try it out if I have to wait a long time for it to compile. Sometimes I want the power and flexibility of a sourced-based distro, and sometimes I'd rather just download and be reasonably assured that it works fine the way it is from binaries.
The Debian package management system also offers clean uninstalls and reverse-dependency checking. I can uninstall a lot of non-essential stuff on a whim and not worry about breaking my system. I consider the safe and clean uninstallation and of software just as important, if not more so, than being able to merely install software.
Why APT-Fu? Why not use an existing source-building tool in Debian?
The source-building tools I've encountered in Debian have all had their strong points, but none of them had nearly all the features I wanted.
I wanted something that would let me install a package from source with one command: `apt-fu src-install pkg`
The ability to automatically modify the source code through simple configuration scripts with inline-patches: optFiles.
The ability to easily preserve my changes if I manually edited something: configurable auto-diff generation with the --prompt=pre-build option.
I also wanted to keep the scores of rarely used, and sometimes conflicting build-dependencies off my system: --no-keep-builddeps, the the default setting
apt-fu can also decide which build-dependencies to build from source, choosing only the ones with static libraries or objects in them. It won't build every single build-dependency from source because the resulting binaries won't benefit from it: (--recursive|-R option)
Furthermore, I wanted something that would work on the latest 'stable' distribution (3.0, at the time of writing). Correctly selecting the default source package version and build-deps is important to me since I keep unstable deb-src lines in the sources.list for my stable machine in case I need a backport done to stable: `apt-fu src-policy pkg` to check.
"Flyin' in just a sweet place,
Never been known to fail..."