Firewall

From VoidWarranties - Hackerspace Antwerp, Belgium
(Difference between revisions)
Jump to: navigation, search
(Installing m0n0wall / flash the image to compactflash)
 
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Project
 
{{Project
|Current=Yes
+
|Current=No
 
|Category=Security
 
|Category=Security
 
|Logo=Firewall.jpg
 
|Logo=Firewall.jpg
 
|Participants=TomD
 
|Participants=TomD
|Locations=Den Bunker,  
+
|Locations=Den Bunker,
 
|Short description=With so many ongoing IT related projects, its always good to have some control over the Network Traffic.
 
|Short description=With so many ongoing IT related projects, its always good to have some control over the Network Traffic.
 
Enable some extra services at the space or block some traffic from outside the space would just be a nice-to-have-toy to play with.
 
Enable some extra services at the space or block some traffic from outside the space would just be a nice-to-have-toy to play with.
 
}}
 
}}
 
 
== Watchguard FireboxV60 ==
 
== Watchguard FireboxV60 ==
  
 
===Hardware specifications===
 
===Hardware specifications===
*Ram: 64Mib (DDRII ram to be confirmed)
+
* Ram: 64Mib (PC100 or PC133 sdram)
*Storage: 128Mib compactflash
+
* Storage: 128Mib compactflash
*CPU: ??? (pentium II or III to be confirmed)
+
* CPU: ??? (pentium II or III to be confirmed)
*Network: 5x 10/100Mbit
+
* Network: 6x 10/100Mbit
*Powerconsumption: ??? to be measured.
+
* Serial Console port (RJ45 on the front panel)
 +
* Powerconsumption: ??? to be measured.
 +
 
 
===Firewall OS Possibilities===
 
===Firewall OS Possibilities===
 
*Default Wathcguard OS (are you nuts?)
 
*Default Wathcguard OS (are you nuts?)
*[http://pfsense.org pfSense] (current amount of ram and compactflash storage are too small)
+
*[http://pfsense.org pfSense] (current amount of ram and compactflash storage are too small, ideal minimum would be 512Mib ram and 2 Gib compactflash
 
*[http://m0n0.ch/wall/ m0n0wall]
 
*[http://m0n0.ch/wall/ m0n0wall]
 
*other, suggestions are welcome
 
*other, suggestions are welcome
 +
 
===Installing m0n0wall / flash the image to compactflash===
 
===Installing m0n0wall / flash the image to compactflash===
 
*Long version can be found here: http://doc.m0n0.ch/quickstartpc/index.html
 
*Long version can be found here: http://doc.m0n0.ch/quickstartpc/index.html
Line 37: Line 39:
  
 
===Status FireboxV60===
 
===Status FireboxV60===
The existing compact flash image, with the watchguard has been backed up to the homedirectory of Barputer and is called FireboxV60. Should someone feel the desire to restore to factory defaults.
+
#The existing compact flash image, with the watchguard has been backed up to the homedirectory of Barputer and is called FireboxV60. Should someone feel the desire to restore to factory defaults.
 +
#The compactflash has been flashed with M0n0wall, Base system is recognised, but the specialty nic is not. (so with M0n0wall, 4 out of 6 networkports are unused)
 +
#Looking to install pfSense (has more features, the kernel is easier to access so installing special hardware has a higher chance off success.)
 +
#Hardware needs a Ram and compactflash upgrade for pfSense to run comfortably (min 512 Mib ram and 2Gib compactflash)
 +
#Ram is upgraded to 384 Mib an pfSense is flashed to a 4Gib compact flash (both kindly donated by [[Firemonkey]] ) Unfortunately the firebox won't boot of the 4Gib card, or the image is flashed wrong
 +
#SUCCESS, the FireboxV60 boots pfSense 2.0RELEASE. Albeit the 512Mib image and not the 4Gib image. Still one little annoyance, there is an interrupt storm at irq7 (ppc0= parallel port) preliminary test of pfSense shows no adverse effect. And the message only shows at the console, not in the ssh session.
 +
#TODO: fixing the powersupply, the 2 fans don't work anymore, so the powersupply overheats at the moment. (No magic smoke has been observed.... yet :-|
  
The compactflash has been flashed with M0n0wall, but no working serial output at the moment. (Because '''the flashing has been done wrong''', choose an above methode to flash the compressed image to compactflash)
+
==pfSense and Generic x86 or x64 hardware==
 +
===Hardware===
 +
pfSense can run comfortably on any x86 or x64 platform, if you observe some minimum requirements.
 +
*Absolute minimum is a '''cpu with 266 Mhz and 256 Mib ram'''. This means no extra features, such as snort or squid.
 +
*CPU intensive tasks are (in the order of intensity): VPN encryption, layer 7 filtering, traffic shaping, snort squid, ...
 +
*Memory intensive task are (highest memory requirement first): snort, squid and in lesser degree traffic shaping,
 +
*Recommended is more like '''1Ghz cpu and 1Gib of ram''', 2 network cards (for easy setup)
 +
Personally I always choose the fastest machine I can get, but power consumption must be less than 20 watts full load and idlleing at even lower power consumption.
 +
Here is a more [http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49|indepth hardware sizing page]
 +
===Selecting install method===
 +
On the pfSense downloadpage you can find 2 categories:
 +
# embedded installs, in the form of a nanoBSD image
 +
# live installs, in the form of an ISO or memorystick image
 +
All install methods have the same features, the only differences are the install method and targeted platform. The ISO and memstick image can be used as a live cd/bootable memory stick, with the option to install to harddisk. nanoBSD images are for embedded platforms and are installed the same way as m0n0wall (see above). The indications of 512mb, 1g, 2g, 4g are the size of the slice and BSD partitions and can not be bigger than the rated capacity of your compactflash card. <br> Personally, for a generic pc install, I prefer the memstick option, (who still burns CD's?) It's only necessary for really, really, really old pc's that don't have an usb boot option in bios. But those things are mostly or power guzzling, noisy boxes or just plain slow (ie no PCI bus throughput)<br> If it's the first time you meet with a BSD distribution, choose default or automatic options. So you don't have to wonder what the hell they mean with partitioning a slice means. ;-)
 +
*'''Available download options'''
 +
*pfSense-2.0-RELEASE-1g-amd64-nanobsd.img.gz
 +
*pfSense-2.0-RELEASE-1g-amd64-nanobsd_vga.img.gz
 +
*pfSense-2.0-RELEASE-1g-i386-nanobsd.img.gz
 +
*pfSense-2.0-RELEASE-1g-i386-nanobsd_vga.img.gz
 +
*pfSense-2.0-RELEASE-2g-amd64-nanobsd.img.gz
 +
*pfSense-2.0-RELEASE-2g-amd64-nanobsd_vga.img.gz
 +
*pfSense-2.0-RELEASE-2g-i386-nanobsd.img.gz
 +
*pfSense-2.0-RELEASE-2g-i386-nanobsd_vga.img.gz
 +
*pfSense-2.0-RELEASE-4g-amd64-nanobsd.img.gz
 +
*pfSense-2.0-RELEASE-4g-amd64-nanobsd_vga.img.gz
 +
*pfSense-2.0-RELEASE-4g-i386-nanobsd.img.gz
 +
*pfSense-2.0-RELEASE-4g-i386-nanobsd_vga.img.gz
 +
*pfSense-2.0-RELEASE-512mb-amd64-nanobsd.img.gz
 +
*pfSense-2.0-RELEASE-512mb-amd64-nanobsd_vga.img.gz
 +
*pfSense-2.0-RELEASE-512mb-i386-nanobsd.img.gz
 +
*pfSense-2.0-RELEASE-512mb-i386-nanobsd_vga.img.gz
 +
*pfSense-2.0-RELEASE-amd64.iso.gz
 +
*pfSense-2.0-RELEASE-i386.iso.gz
 +
*pfSense-memstick-2.0-RELEASE-amd64.img.gz
 +
*pfSense-memstick-2.0-RELEASE-i386.img.gz
 +
and can be found here on a mirror server http://files.nl.pfsense.org/mirror/downloads/ or here you can select more http://www.pfsense.org/mirror.php?section=downloads

Latest revision as of 21:50, 30 May 2012


Firewall
What:
With so many ongoing IT related projects, its always good to have some control over the Network Traffic.

Enable some extra services at the space or block some traffic from outside the space would just be a nice-to-have-toy to play with.

Firewall.jpg
Participants:
TomD
Category:
Security
Locations:
Den Bunker

Contents

Watchguard FireboxV60

Hardware specifications

Firewall OS Possibilities

Installing m0n0wall / flash the image to compactflash

(use the -u flag if the target disk is > 800 MB - make very sure you've selected the right disk!!)

physdiskwrite [-u] generic-pc-xxx.img

(you must use v0.3 or later!)

gzcat generic-pc-xxx.img | dd of=/dev/rad[n] bs=16k

where n = the ad device number of your CF card (check dmesg) (ignore the warning about trailing garbage - it's because of the digital signature)

gunzip -c generic-pc-xxx.img | dd of=/dev/hdX bs=16k

where X = the IDE device name of your HD/CF card (check with hdparm -i /dev/hdX) - some CF adapters, particularly USB, may show up under SCSI emulation as /dev/sdX (ignore the warning about trailing garbage - it's because of the digital signature)

Status FireboxV60

  1. The existing compact flash image, with the watchguard has been backed up to the homedirectory of Barputer and is called FireboxV60. Should someone feel the desire to restore to factory defaults.
  2. The compactflash has been flashed with M0n0wall, Base system is recognised, but the specialty nic is not. (so with M0n0wall, 4 out of 6 networkports are unused)
  3. Looking to install pfSense (has more features, the kernel is easier to access so installing special hardware has a higher chance off success.)
  4. Hardware needs a Ram and compactflash upgrade for pfSense to run comfortably (min 512 Mib ram and 2Gib compactflash)
  5. Ram is upgraded to 384 Mib an pfSense is flashed to a 4Gib compact flash (both kindly donated by Firemonkey ) Unfortunately the firebox won't boot of the 4Gib card, or the image is flashed wrong
  6. SUCCESS, the FireboxV60 boots pfSense 2.0RELEASE. Albeit the 512Mib image and not the 4Gib image. Still one little annoyance, there is an interrupt storm at irq7 (ppc0= parallel port) preliminary test of pfSense shows no adverse effect. And the message only shows at the console, not in the ssh session.
  7. TODO: fixing the powersupply, the 2 fans don't work anymore, so the powersupply overheats at the moment. (No magic smoke has been observed.... yet :-|

pfSense and Generic x86 or x64 hardware

Hardware

pfSense can run comfortably on any x86 or x64 platform, if you observe some minimum requirements.

Personally I always choose the fastest machine I can get, but power consumption must be less than 20 watts full load and idlleing at even lower power consumption. Here is a more hardware sizing page

Selecting install method

On the pfSense downloadpage you can find 2 categories:

  1. embedded installs, in the form of a nanoBSD image
  2. live installs, in the form of an ISO or memorystick image

All install methods have the same features, the only differences are the install method and targeted platform. The ISO and memstick image can be used as a live cd/bootable memory stick, with the option to install to harddisk. nanoBSD images are for embedded platforms and are installed the same way as m0n0wall (see above). The indications of 512mb, 1g, 2g, 4g are the size of the slice and BSD partitions and can not be bigger than the rated capacity of your compactflash card.
Personally, for a generic pc install, I prefer the memstick option, (who still burns CD's?) It's only necessary for really, really, really old pc's that don't have an usb boot option in bios. But those things are mostly or power guzzling, noisy boxes or just plain slow (ie no PCI bus throughput)
If it's the first time you meet with a BSD distribution, choose default or automatic options. So you don't have to wonder what the hell they mean with partitioning a slice means. ;-)

and can be found here on a mirror server http://files.nl.pfsense.org/mirror/downloads/ or here you can select more http://www.pfsense.org/mirror.php?section=downloads

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Content Creation
Belgian Spaces