Hello. I'm strongly considering OpnBSD for a home network firewall (between
me and the cable modem). I've heard of Linux setups by which it is possible
to put neccessary network files and kernel on a floppy, and boot to floppy.
Then remove the floppy so it can't be written to in case anyone does manage
to get through.

Is this viable with OpenBSD? Is it even needed? Any other information on
putting together a secure home network / firewall leaves me
much obliged,


John

In article <DiTBb.27155$HH.12610@fe1.texas.rr.com>, intermezzo wrote:
[snip: home notwork single floppy router]
>
> Is this viable with OpenBSD? Is it even needed? Any other information on
> putting together a secure home network / firewall leaves me
> much obliged,

There is such a thing as PicoBSD (FreeBSD based). I don't know if there
is an OpenBSD flavoured version. I do know that you can achieve much the
same with a bootable cd, and it leaves you far more room than a floppy.

As to if you /need/ it, well, I don't think so. You'll be more effective
if you know what is going on and what the important issues are. A box
supposedly secure because of draconian measures in one field (say, no
physical media available so ``no-one can write it'') can give you a
false sense of security if another field (say, the mailsetup) didn't
receive quite as much attention because you didn't understand it.

Which can be, and often is, worse than knowing you have little or no
security at all. (Say, your mailsetup ends up being uses as an open relay.)

I'd say a competend admin beats the latest automagic fad any day.

And it isn't even _that_ hard to learn the basics, it just requires a
bit of attention and some time. If --for whatever reason-- that is not
an option, why bother with setting something up yourself at all? There's
quite a few soho ``routers'' available nowadays. They're not expensive
and come with lots of features to do basic stuff and a vendor to shout at
in case of catastrophic faillure. You can't do that with a homegrown box.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .

On Thu, 11 Dec 2003 07:49:59 +0000 (UTC), jpd
<read_the_sig@do.not.spam.it> wrote:

>In article <DiTBb.27155$HH.12610@fe1.texas.rr.com>, intermezzo wrote:
>[snip: home notwork single floppy router]
>>
>> Is this viable with OpenBSD? Is it even needed? Any other information on
>> putting together a secure home network / firewall leaves me
>> much obliged,

[...]

>There's
>quite a few soho ``routers'' available nowadays. They're not expensive
>and come with lots of features to do basic stuff and a vendor to shout at
>in case of catastrophic faillure. You can't do that with a homegrown box.

You actually think the "vendor" is going to do anything if you come
back crying that someone hacked your box? You're dreaming in
technicolour my friend. Anyhow, they are so stupid these that he
probably wouldn't have a clue what you're talking about. And if not
hacking then what other sort of "catastrophic failure" are you
alluding to?

In article <d88htvs3im0eo0brh6henh9d1lfab1tj99@4ax.com>, Peter Matulis wrote:
>
> You actually think the "vendor" is going to do anything if you come
> back crying that someone hacked your box? You're dreaming in
> technicolour my friend. Anyhow, they are so stupid these that he
> probably wouldn't have a clue what you're talking about. And if not
> hacking then what other sort of "catastrophic failure" are you
> alluding to?

What does that matter? There's an actual trend going on, --outside the
free software community, so you probably missed it-- of /downsizing/
and /reducing/ and... including going to established brand vendors
_instead_ of using freely available alternatives. This to have someone
to shout at if^Wwhen it doesn't work. Instead of having a competent
--ooooh expensive!!!1-- admin to actually keep your stuff running.
For we all know that shouting takes only a monkey and monkeys only
costs this much in bananas.

So, no, not my drea^Widea. I'm just laying out the options.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .

jpd wrote:
> In article <d88htvs3im0eo0brh6henh9d1lfab1tj99@4ax.com>, Peter Matulis wrote:
>
>>You actually think the "vendor" is going to do anything if you come
>>back crying that someone hacked your box? You're dreaming in
>>technicolour my friend. Anyhow, they are so stupid these that he
>>probably wouldn't have a clue what you're talking about. And if not
>>hacking then what other sort of "catastrophic failure" are you
>>alluding to?
>
>
> What does that matter? There's an actual trend going on, --outside the
> free software community, so you probably missed it-- of /downsizing/
> and /reducing/ and... including going to established brand vendors
> _instead_ of using freely available alternatives. This to have someone
> to shout at if^Wwhen it doesn't work. Instead of having a competent
> --ooooh expensive!!!1-- admin to actually keep your stuff running.
> For we all know that shouting takes only a monkey and monkeys only
> costs this much in bananas.
>
> So, no, not my drea^Widea. I'm just laying out the options.
>
>
Since the original post specifically mentioned "home" firewalls, I'm not
sure your reasoning holds. The last I heard, few people are not
actively "downsizing" or "reducing" their homes; at least not on
purpose, and for any reasonable definition of "downsize".

The usual suspects who offer the SOHO cable/DSL router/firewalls are
probably not all that interested to hear that you've been hacked; you
really don't have much recourse if your little blue box from 3Com loses
it's connection constantly, floods a university with NTP packets or
allows smart hackers access to your internal network. This is the basic
idea Peter was trying to get across, I think.

Whether or not a well-maintained OBSD box is relatively more or less
hackable than one of these devices is certainly open for discussion.

The question the OP should ask him or herself is whether the kind of
service and protection they get from buying a turn-key SOHO
router/firewall offsets the amount of time they wish to put into
building an essentially free system that does the same essential job.

intermezzo wrote:

> Hello. I'm strongly considering OpnBSD for a home network firewall (between
> me and the cable modem). I've heard of Linux setups by which it is possible
> to put neccessary network files and kernel on a floppy, and boot to floppy.
> Then remove the floppy so it can't be written to in case anyone does manage
> to get through.
>
OBSD is a good choice for this kind of work, and is flexible enough to
add services for your users as your network inevitably grows. Out of
the box, OBSD can be setup on a small PC to do nothing but firewalling
and NAT routing.

Another reply mentioned PicoBSD, which is based on FreeBSD, and is a
pretty immediate floppy-based solution.

> Is this viable with OpenBSD? Is it even needed? Any other information on
> putting together a secure home network / firewall leaves me
> much obliged,
>
AFAIK, there is no turnkey solution generally available that is based on
OpenBSD, though many people have grown their own solution in just a few
hours. I'm about to design a floppy or flash-based system that replaces
the aging standard PC OBSD setup I have now.

So, the DIY solutions are many, and will probably only take a few days
or hours, depending on your experience level with BSD installation and
setup.

Doing some Google searches on OpenBSD and a few choice other phrases
yields a lot of good stuff. Here are some promising links:

http://www.openbrick.org/
http://archives.neohapsis.com/archiv...3-10/1469.html
http://www.freebsdforums.org/forums/...threadid=12470
http://www.nmedia.net/~chris/soekris/

So, really, your choice is based on how much time are you willing to
invest in this project. If you were going to invest time in one of the
tiny Linux projects, there are just as many resources based on BSD to
choose from. The information is out there, and some people have down
all the hard work for you.

If your time is worth more, and you want to trade off a small amount of
install and maintenance work for a drop-in solution, go with one of
those little NATing firewall router/switch solutions from any big
networking device company.

Great. Thanks to all. I got the Absolute OpenBSD book, and will spend time
over money on this. Now it's either a long drive to buy the CDs, or
ordering by Web. Thanks in advance, I can figure this out on my own!


John

In article <jA3Cb.117503$PD3.5833495@nnrp1.uunet.ca>, clvrmnky wrote:
> Since the original post specifically mentioned "home" firewalls, I'm not
> sure your reasoning holds.

Bleh.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .

"intermezzo" <inter@spam.edu> wrote in message
newsiTBb.27155$HH.12610@fe1.texas.rr.com...
>
> Hello. I'm strongly considering OpnBSD for a home network firewall
(between
> me and the cable modem). I've heard of Linux setups by which it is
possible
> to put neccessary network files and kernel on a floppy, and boot to
floppy.
> Then remove the floppy so it can't be written to in case anyone does
manage
> to get through.
>
> Is this viable with OpenBSD? Is it even needed? Any other information on
> putting together a secure home network / firewall leaves me
> much obliged,
>
>
> John

You might find this of interest:

http://m0n0.ch/wall/

There's a ton of others as well which I'll have to track down the links
for... - FreeBSD, OpenBSD, NetBSD and Linux ones...

"Firewall on a Floppy" can be found at
http://www.theapt.org/openbsd/firewall.html.

I HIGHLY recommend OpenBSD firewalls. They are not difficult to configure,
they are inexpensive, and they are as secure as anything out there, if you
configure them correctly. Also, there is a lot of support available.


"Test" <me@here.com> wrote in message
news:tA7Cb.9920$aF2.1116047@news20.bellglobal.com. ..
>
> "intermezzo" <inter@spam.edu> wrote in message
> newsiTBb.27155$HH.12610@fe1.texas.rr.com...
> >
> > Hello. I'm strongly considering OpnBSD for a home network firewall
> (between
> > me and the cable modem). I've heard of Linux setups by which it is
> possible
> > to put neccessary network files and kernel on a floppy, and boot to
> floppy.
> > Then remove the floppy so it can't be written to in case anyone does
> manage
> > to get through.
> >
> > Is this viable with OpenBSD? Is it even needed? Any other information
on
> > putting together a secure home network / firewall leaves me
> > much obliged,
> >
> >
> > John
>
> You might find this of interest:
>
> http://m0n0.ch/wall/
>
> There's a ton of others as well which I'll have to track down the links
> for... - FreeBSD, OpenBSD, NetBSD and Linux ones...
>
>