Linux Source Distribution for Firewalls?

Peter Miller asks: "I want to build a new firewall. I want fine control over the exact contents of the disk. So I went looking at Linux source distributions. Every one I looked at (Gentoo, Lunar, etc) put the development environment on the final disk image. I don't think this is good for a firewall. Even Linux From Scratch does this, it isn't automated, and the nALFS UI is incomprehensible. I'd rather not have the package database in the final image, either. Micro-distros like FloppyFW doesn't publish their root image build script, and that's the route I'd like to follow. What do you security zealots out there use to build your firewalls from scratch?"

DEBIAN

[Jeremiah+Cornelius]

Debian.

Seriously.

It can build a TIGHT little install, on the base system. I can purge packages like Perl when it's done building - could even script dpkg/apt if I had to do this often.

You wanted a source distro? you can do this with apt-source. Seems more painful than need be - with signed binaries available. I have been using the Adamantix packages (used to be Trusted Debian) and Bastille by Jay Beale and crew. I am pulling binary packages from my own apt-repository, so the firewall itself doesn't pull from the Internet, but only a dedicated admin segment.

keep a development machine on hand

I have a Soekris net4501 box as a firewall. It runs FreeBSD 4.x and has a 1GB microdrive as it's primary storage, which is mounted "noatime" and with no local logging, so the microdrive rarely spins up. (I plan on changing it to log to a ramdisk and flush it to the microdrive once a day since sometimes I miss log entries, but that's another project). I actually only need about 64MB but I had the microdrive handy. In fact you can strip it down to 4-5MB if you are insane (see the excellent m0n0wall project).

I build the entire thing on another FreeBSD machine (actually, a FreeBSD virtual machine running on VMWare on Red Hat, but that's not important) using a separate make.conf. I.e., I run something like this on the BSD source code:

make __MAKE_CONF=/my/special/make.conf DESTDIR=/my/special/destdir buildworld

Next I install the FreeBSD distribution /etc files into /my/special/destdir/MERGE-ETC/

Next I reboot the Soekris box at securelevel -1 (which lets me clear the immutable flags), then I clear the immutable flags on all the executables and kernel so they can be replaced.

Then I rsync the whole mess from my development box over to the Soekris box, but *excluding* any development tools, indeed, excluding all non-essential stuff. /etc is also left untouched.

Then I run mergemaster on the soekris box, merging /MERGE-ETC with /etc to pick up any new /etc changes. Then I delete mergemaster and /MERGE-ETC.

Finally, I re-set the immutable flags on the kernel and important binaries, uncomment the securelevel stuff in /etc/rc.conf (I run in securelevel 3, can't clear immutable flags and can't change firewall rules). then reboot for brand-spanking new install.

It sounds complicated but I have it automated with a handful of scripts: run #1 on the VMWare box, run #2 on the soekris, run #3 on the vmware to clean up and remove the build files, done.

The same procedure should also be possible with Gentoo Linux, which I'm going to try on my new net4801 Soekris box. That will be less necessary since the net4801 supports an IDE hard drive and could theoretically be self-hosting if I'm patient, but I want to try my FreeBSD technique with Gentoo Linux.

Other possibilities include NFS-mounting your firewall contents to your development box and chrooting into it, or netbooting the firewall somehow . What I love about these Free Software products is the amazing FLEXIBILITY!!