Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

Linux Source Distribution for Firewalls? 83

Posted by Cliff from the where-"do-it-yourself"-is-too-easy dept.
Peter Miller asks: "I want to build a new firewall. I want fine control over the exact contents of the disk. So I went looking at Linux source distributions. Every one I looked at (Gentoo, Lunar, etc) put the development environment on the final disk image. I don't think this is good for a firewall. Even Linux From Scratch does this, it isn't automated, and the nALFS UI is incomprehensible. I'd rather not have the package database in the final image, either. Micro-distros like FloppyFW doesn't publish their root image build script, and that's the route I'd like to follow. What do you security zealots out there use to build your firewalls from scratch?"
This discussion has been archived. No new comments can be posted.

Linux Source Distribution for Firewalls? More

Linux Source Distribution for Firewalls?

Comments Filter:
  • Okay, not that important, but you either need two boxes, one with and one without development tools, or one with.

    The point is that there is a bigger probability that you'll need to patch the firewall from time to time - than the probability of a cracker breaking into it and abusing the tools.

    Also, it's _very_ conventient to have the development tools ready when you need that little tool on the firewall Right Now, and don't want to fiddle with using the identical box WITH development tools to build it, the
    • The point is that there is a bigger probability that you'll need to patch the firewall from time to time - than the probability of a cracker breaking into it and abusing the tools.

      I disagree.

      The first assumption I make is that every firewall I install WILL get rooted eventually.

      So - the trick is to make it as painful as possible for an attacker to do anything once the box is compromised, in the hope that I find out about the breach before the attacker can do much damage.. and if I don't notice quick eno
  • Do a base linux from scratch system, then install what you need on top of that (netfilter and maybe a DHCP client is pretty much the only stuff you need on top of an LFS system).

    Once the firewall is configured the way you want it, and everything you need is compiled and installed, delete the compiler and whatever else you *don't* need.

    Simple, easy.
    • Do a base linux from scratch system, then install what you need on top of that (netfilter and maybe a DHCP client is pretty much the only stuff you need on top of an LFS system).

      Once the firewall is configured the way you want it, and everything you need is compiled and installed, delete the compiler and whatever else you *don't* need.

      I did this the other day on a gentoo box, then I realized, deleteing GCC on a source only distro, and no RPM was a BIG mistake.

      BTW, floppyFW rules(and supports VPN) plus
      • deleteing GCC on a source only distro, and no RPM was a BIG mistake.

        The idea is that you don't delete it until you're done with it. On a firewall box, you don't need to compile much.
        • Riiiight, and so when the next OpenSSH (or Squid, Apache, proftpd, whatever) vulnerability is announced, you're supposed to just start over from scratch?

          I understand the idea that you don't want dev tools on an externally accessable machine. But, at the same time, you either need some kind of binary package management, or you need to have the ability to do a "make world" on another box and copy over the binaries.

  • It depends, but usually... (Score:3, Interesting)

    by Ratso Baggins ( 516757 ) on Friday October 17, 2003 @01:57AM (#7237568) Homepage
    "What do you security zealots out there use to build your firewalls from scratch?"

    Not linux [openbsd.org]


    • I second the motion!

    • Absolutely. Why demand Linux, when there is already another free best-of-breed option out there? Setting OpenBSD up as a firewall is a piece of cake (IIRC, three or four intuitive config files all in /etc and their corresponding well-written man pages).
    • While the not Linux comment is not true it is important to rember there are other options. OpenBSD being one, FreeBSD, and NetBSD are the other. You could even make a firewall routerbox that runs FreeDOS if you want to. Keep your options open.
      I have heard that the standard Firewall in BSD is better than the Standard Firewall linux.
      I do belive that there are some Routher distros that run right from a CD-ROM. Getting ride of the HARD drive seems like a good plan when it comes to thingks like a firewall.
      We use
      • Don't get me wrong, I would use Linux for just about any SMP unix work. It still remains that if you're a security zealot then you would prefer security over a brand name. FYI there are reputable firewalls which run on Windows even, but I'm not using it... Take the latest openSSH bug, on all platforms other than openBSD the bug allowed privaledged overflow. While it's not perfect or easiest to admin, openBSD has the lowest root expoloit count by far. After all it's a security device. BTW with respect ot kk
        • I understand your point. My office already has W2K for our acconting box and Linux for or file server, firewall, gateway, dns, and Database server. Adding OpenBSD was not an options just to many different OSs. Your situation will be different. As I said opemBSD is a find platform for a firewall and probably many other uses.
  • Build it on whatever you use for your desktop.

    Compile your own kernel, and make the ram disk by copying libraries from your system as much as possible; this will make it easy to maintain. If you are willing to go the route of a bootable CD, you have a lot more room, and don't have to recompile every single thing just to get it smaller.

    You can look at some of the stuff I did here: http://rgr.freeshell.org/flinux/ Feel free to send me email if you have questions.

    BTW, there is no reason not to have the de
    • BTW, there is no reason not to have the developement environment on the system. In fact, I don't see a reason not to make your main desktop system the same as the firewall machine.

      I can see a couple of reasons.

      If someone compromises a normal user account on your firewall, the next thing they will want to do is get root access. They might do this by compromising a daemon running as root.

      Your desktop machine will likely have more potential targets than your firewall.

      Seperating the two means an attacker
    • Note: This is a plan, purchases made, lacking time.

      At a flea market, I purchased a hard drive hot-swap cradle. This is not to hot-swap, but to make a drive easily removable. I've also purchased an extra hard drive.

      The base OS install will be on the removable hard drive. I plan to copy what's needed from the OS install over to the fixed hard drive, making a second, stripped install.

      To run as a firewall, remove the extra hard drive.
      To build/install/upgrade, reboot with the extra hard drive plugged in, and
      • I think in a standard linux distribution, the development tools will all be scattered around the filesystem in the usual places. So to use the additional harddrive aspect, you might need to make your own bin / lib / include directories in there, and a shell script to appropriately adjust the paths when the drive is inserted.

        If you do this and get it working, send me an email because I'd be interested to hear how it worked out. Perhaps when your development drive is stable, you might just put it on a cdr
        • My plan is to generate a script to grab the necessary stuff off of the removable drive and populate a similar (but empty) filesystem structure on the fixed drive. I'd expect the result to look quite a bit like the existing bootable floppy/CDROM distributions, though probably not quite as space-efficient. (especially compared to the floppy-based ones) The key difference is that the script would allow me to regenerate the stripped version at will, say after applying security updates to the full version on the

  • DEBIAN (Score:3, Informative)

    by Jeremiah Cornelius ( 137 ) on Friday October 17, 2003 @02:05AM (#7237596) Homepage Journal
    Debian.

    Seriously.

    It can build a TIGHT little install, on the base system. I can purge packages like Perl when it's done building - could even script dpkg/apt if I had to do this often.

    You wanted a source distro? you can do this with apt-source. Seems more painful than need be - with signed binaries available. I have been using the Adamantix packages (used to be Trusted Debian) and Bastille by Jay Beale and crew. I am pulling binary packages from my own apt-repository, so the firewall itself doesn't pull from the Internet, but only a dedicated admin segment.

    • http://www.yhbt.net/normalperson/debian/ [yhbt.net]

      From the Project Page:

      Introduction to APT-Fu

      Why?

      Why not? And because I can. It'll eventually make my life easier with optFiles/patches which allow me to upgrade packages while keeping most/all of any customizations I make to the original source package intact. I appreciate the work Debian maintainers do, but sometimes I would like to add my own flavor to things.

      Why Debian? Why not just use another source-based distribution?

      Debian has thousands of softw

  • keep a development machine on hand (Score:1, Informative)

    by Anonymous Coward
    I have a Soekris net4501 [soekris.com] box as a firewall. It runs FreeBSD 4.x and has a 1GB microdrive as it's primary storage, which is mounted "noatime" and with no local logging, so the microdrive rarely spins up. (I plan on changing it to log to a ramdisk and flush it to the microdrive once a day since sometimes I miss log entries, but that's another project). I actually only need about 64MB but I had the microdrive handy. In fact you can strip it down to 4-5MB if you are insane (see the excellent m0n0wall project).

  • (Free||Open)BSD and a mod of the Soekris scripts (Score:4, Interesting)

    by JumpSuit Boy ( 29166 ) on Friday October 17, 2003 @02:09AM (#7237607) Homepage
    The Soekris [soekris.com]set of embedded boards for this purpose have bred a number of project that produce build setups for wired and wireless routers.
    Three points:

    they come with scripts and docs

    they produce bare (no dev tools) images to use on compact flash cards

    The dev machine is separate
    I use a modified version of an OpenBSD on an old watchguard box.

    See Soekris on OpenBSD [google.com] and Soekris on FreeBSD [google.com]

  • Try LEAF. I've never done it as a source build, however, all the source is out there, and plenty of people work on it.

    http://leaf.sourceforge.net

    It is the successor of the LRP project.

    Kirby

    • Seconded...if you want to simplify it a lot, just use Coyote Linux [coyotelinux.com] (although it's not nearly as flexible as a modern LEAF distro like Bering, it's really easy to make go). LEAF is good.
  • Not really, but I do make a standard installation CD of my prefered distro.

    I have to manage a lot of similarly configured boxes. I use my favorite distro as a starting point then, trim off any fat/bloat, etc. Add specialized tools, which usually involved modifying some SPEC files for RPMS. to build a new RPM.

    Once I get all the RPMs installed and build I remove the development RPMS, and other development tools.

    I then run MONDO ARCHIVE http://www.microwerks.net/~hugo/ [microwerks.net]

    and build a bootable rescue disk.
  • I used to work for a company that rolled their own booter box systems (i think there are some official ones now) about 5-6 years ago. It was a really sweet setup, cause all they had was 2 (primary/backup)booter boxes for almost everything however some were specialized booter boxes too and most of the servers (over 100) were diskless machines which network booted everytime off of these booter boxes. I know it seems elaborate, but it was also really awesome because you have centralized deployment so you nee

  • But be warned: it's a lot of work !

    A good start is obviously Linux From Scratch, but you might check Linux From Scratch Via RPM [puxedo.org]. Having some packaging manager like RPM helps a lot.

    But you have to write the build scripts on your own. I have created and am managing our in-house Linux distribution, and I had to write the build system that compiles the packages from spec files, sources and patches, keeps the build system clean, recognizes when spec files changed in order to recompile them, write a tool to com

  • when my company was connected to inet through microwave we use floppyfw http://www.zelow.no/floppyfw/ booted from floppy. the firewall was old amd 486 machine (or it was i386?) with 8mb ram and two net cards. we never had any security problem, floppyfw works perfect and was very reliable.
  • Unless you have serious issues with disk space or use your own custom-designed processor for which only you have a compiler, what problems do you think having these tools around will cause? If someone roots you, I doubt the first thing they are going to do is to fire up emacs, write a remote shell, compile and install it. They can just do that at home, and upload the binaries. (They could also upload a compiler, if they had a reason to)

    This is the same as not having a text editor, so that an intruder cann

    • what problems do you think having these tools around will cause?

      It will allow an attacker to build their own software, which is guaranteed to work on the box they've rooted. (I know this is obvious, but it needs stating clearly because it's more important than you realize.)

      If they have precompiled binaries that won't run on your system (because you've deliberately chosen a system that's not common), they'll be forced to build their own - it won't stop them, but it will slow them down, or encourage them
  • Won't comment on the merits or lack thereof of putting development tools on a firewall machine, but I'm not sure I understand why you're having trouble installing your choice of software. Every package-based distribution I've used provides an option to select and install only individual packages.

    Depending on your tastes, give Slackware a look. The install is fast and simple, and its avoidance of rpm/apt mean you can install code from source without worrying about screwing the packaging database.
  • Smoothwall GPL [smoothwall.org]

    If you want the fancy features, then get the commercial version and enjoy the support.

    why waste your own time re-inventing the wheel when it's already been done.

    • That's the only explanation I can think of why I, on a dialup line, managed to get rooted within a week of firing up a default smoothwall 2.0 install.

      Plus their fearless leader seems to be something of a belligerent (and possibly unstable) jackass (google it and see yourself). While I, too, have something of this trait, I'm not here asking people to trust their network security to me.

      ipcop is based on the early work on smoothwall. It's just as easy to install and configure and use, it's completely open so

  • My personal favorite of the "turnkey" firewall distros. Great features, very robust and quick enough to run on my lowly P120-96MB.

    I use it for FTP, WEB, SMB, AppleTalk and print server as well. Heck, they even give you a free dynamic DNS address.

    They also have a commercial version that supports IPSEC and PPTP, although you can install that stuff yourself.

    Check it out here [clarkconnect.org] for the hobbyist version, or here [clarkconnect.com] for the commerical version. Enjoy!

    -Fordboy0

  • Try IP-Cop [ipcop.org], This is a GPLed fork of Smoothwall, fully featured, extremely small footprint. If you install the RPM version, then you can add libs and programs onto the install. Checking out the Forums [hopto.org] shows quite a number of addons, mods etc. that can be installed to give more flexability (edonkey/MTA/ftp servers/samba/squid/proxies/filters/additional ID) etc.)

  • Take a look at Gibraltar [gibraltar.at]. It's a version of Debian designed for firewalls; it runs completely off of CD, so hackers have no hard drive to play with..
  • Roll your own RPMs, DEBs, whatever, then install them on the target machine. There are automated tools for building these packages already -- I'm not sure I see the issue here.

    You can also do this with the BSDs by changing the target directory for make install to be a new filesystem you're creating to image elsewhere.

  • Um (Score:1)

    by tzanger ( 1575 )
    LFS does NOT put the compiler on the final image unless you want it there. I make CF-booting LFS firewalls and can fit the kenrel, iptables, iproute2, IPSec with NAT-T and X.509 support, PERL (yes PERL) and other goodies on a 16M CF disk.

  • coyote linux? (Score:4, Insightful)

    by horatio ( 127595 ) on Friday October 17, 2003 @09:59AM (#7239253)
    Maybe I'm missing something, but isn't coyote linux [coyotelinux.com] a somewhat obvious choice for this?

    The scripts are open to modification as much or as little as you like. IIRC, the end of the script is building/compiling the packages you've requested.
  • Go with OpenBSD.

    If you're slightly more relaxed, Slackware is great - or any other no frills distribution would do like, Tawnie - very small and tight, just like Tawnee Stone (hehehehehe, sorry 'bout that, the new name for the distribution is nice, but sounds to much like Tawnee).

    If you're relaxed and calm, any distribution is fine.
  • If you want to build your own using a prepackaged set of tools, I strongly suggest using buildroot [uclibc.org].

    My firewalls are all diskless boot machines (they pull their image from a server that's on a private network), so size *does* matter to me. Having the full development environment simply is not an option.

    As others have pointed out, having gcc on your firewall isn't going to provide you with a great deal of security. Just another (and a tiny one, at that) hoop to jump through. If they can root your box, then
    • [crap. had a less than that i didn't entityize correctly. apologies for screwed up parent post]

      If you want to build your own using a prepackaged set of tools, I strongly suggest using buildroot [uclibc.org].

      My firewalls are all diskless boot machines (they pull their image from a server that's on a private network), so size *does* matter to me. Having the full development environment simply is not an option.

      As others have pointed out, having gcc on your firewall isn't going to provide you with a great deal of securit
  • i run gentoo as my firewall, i build the entire firewall system in a folder on my main system chrooted in the "build" folder. I build my entire system(firewall, fileserver celeron500x2 on bp6, 256mb ram.) without X or anything fancy. Just the necesities. The I copy the /firewallinstall folder to another harddrive's, install grub to the mbr of the new drive. I also EXCLUDE copying any of the portage stuff, delete the portage and gcc related contents in /var and emerge unmerge gcc before the copy to get t
  • Hi,

    emKnoppix was concived exactly for this purpose. One disadvantage of source distributions is that if their are bugs in say ssh, you are forced to apply patches and update. But if you follow a good distro like debian, the patches are all there, well tested. So emknoppix uses debian as the main distro and builds a compressed disk image which you can boot using a kernel, just like knoppix.

    Even though name is emknoppox this is not a run from CD distro, the /etc is stored in hard disl (or flash or disk on

  • As much as I love linux I would have to say if security is concern #1, then use openBSD. It's pretty scary looking at all the stuff at linuxsecurity.org that is listed for all the distros. In fact if you go to http://www.linuxsecurity.com/advisories/ you can see they keep track of free/net/open BSD vulnerabilities too. The most recent openBSD advisory is dated 8/12/2002, where mandrakes most recent is well... today.
    • In fact if you go to http://www.linuxsecurity.com/advisories/ you can see they keep track of free/net/open BSD vulnerabilities too. The most recent openBSD advisory is dated 8/12/2002

      The site is most certainly not up to date with OpenBSD! And even the advisoraries listed are not complete for their time period. This is not a good sign of a site supposedly devoted to security.

  • http://www.jimweller.net/jim/lfw/

    Rather than relying on some distro to do it for you. Biggest problem I had was getting a usable floppy image and using ext2 fs.

    Most of those root floppy distros use minix fs so if you want to see what is on them you need to mount a minix fs. I think there is a little more to it than that but not much. Basically what they do is create a kernel image and then use dd to put it on a floppy. Then they create the filesystem image and use dd with an offset to tell it where to

  • Linux packet filtering is just plain crap when compared to the others out there: IPFW, IPFW2, IPFilter, PF.

    Use one of the floppy-/CD-ROM-based BSD systems: ClosedBSD, MicroBSD, PicoBSD, emBSD.

    Or, build your own using FreeBSD, OpenBSD, or NetBSD.

    Once you start using a BSD-based firewall system, you'll never want to use Linux again. Plus, you won't have to worry about your packet filter changing completely in the next release. :)
    • Once you start using a BSD-based firewall system, you'll never want to use Linux again.

      Indeed, the syntax of iptables rules leaves alot to be desired, to put it mildly. I much prefer PF over iptables, and easy syntax is one of the reasons for that preference. And I've been informed that iptables are not stateful without a kernel patch.

      • >And I've been informed that iptables are not stateful without a kernel patch.
        You have been misinformed. Check www.netfilter.org and see that it is stateful out of the box.
        • Erhm, it's not fully stateful since iptables doesn't track tcp sequence numbers after connection establishment.

          http://www.netfilter.org/documentation/pomlist/pom -extra.html#tcp-window-tracking

  • Try openBSD, it works very well, it's very secure out of the box, and the Packet filtering is very powerful. I've read in numerous places, even here on slashdot [slashdot.org], that it's superior to linux's ipchain/ipfilter.
  • I build my firewalls with either CD-ROM drives or read only NFS mount points.

    None of my firewalls first of all have any hard disks in them or floppy drives.

    Only CD-ROM drives or no drives at all.

    This is to insure that should a fault occur, the attacker is totally king of a read only file system.

    Which effectively makes my compromised firewall a kingdom of....nothing.

    Not only that, I just flip the power button.

    I have a small ram disk, enough to run the ipchains command from a small bash prompt so I can
    • I build my firewalls with either CD-ROM drives or read only NFS mount points. None of my firewalls first of all have any hard disks in them or floppy drives. Only CD-ROM drives or no drives at all.

      You're not wrong, but I haven't seen anyone mention this yet:
      A lot of SCSI drives have a jumper to set them "read-only". This can't be circumvented in software, and you still get the speed benefits of using a disk! This article has given me the push to get the firewall out of my desktop which is dual-booting

      • Yes, but Hard Disks are not cheap, plus they spin down, and fail. You cannot reboot either once that happens.

        CD-ROMS, coupled with a small Ram Disk, don't have that problem.

        You can also usually enable read only in the BIOS of the DISK as well.

        There are all sorts of ways to secure the console.

        -Hack
        • >Yes, but Hard Disks are not cheap, plus they spin down, and fail. You cannot reboot either once that happens.
          I reckon they're cheap. Damn cheap in fact. And some ugly BIOS's won't boot if you're keyboard is not present, fair enough if the disk has failed.

          >CD-ROMS, coupled with a small Ram Disk, don't have that problem.
          Don't they? I've had CD-ROMS fail, and plenty more than hard disks. I also have CD-ROM's that "work" but can't read CD-R's. CD-ROM is my last choice for media to boot from or s

  • You can get build scripts for floppyfw:

    Floppyfw development directory [zelow.no]

    It's the "devkit" and I must admit it's not perfect yet but people use it and I will provide a better and full development system for building your floppyfw from scratch (the devkit has this already but it is not perfect yet). It will also have build scripts for ISO/CD and CF.

    So, it's possible to build floppyfw from scratch.
  • You should probably look at
    lwn.net/Distributions/ [lwn.net]

    Specifically, lwn.net/Distributions/index.php3#secure [lwn.net] and possibly also the special purpose distros (mini, floppy, cd, whatever).

    Engarde [engardelinux.org], Immunix [immunix.org], and Openwall [openwall.com] are all designed to be secure platforms for server or firewall development.

    If you want something small, you might look at LEAF [sourceforge.net] or Coyote or Wolverine [coyotelinux.com]. Coyote is free, Wolverine is $30-$120 depending on which license you need.

    Personally, I'm using Astaro [astaro.com] (free for personal use). It seems to be

Slashdot Top Deals

This file will self-destruct in five minutes.

Close