Pozadzides.com


This document is also available in a multi-page format. This single page version is aprox. 250kb.



Pic of Firewall

The Firewall Project

Codename: Bumble-me... er, bee

This is document version 4.11.2000.

Introduction

After undergoing a serious internal scrutiny of our network security on our Home LAN it was determined that there were weaknesses that could be exploited. At the same time, it was observed that on almost an hourly basis attacks aimed at my network could be observed originating from countries all over the world and coming in through our Cable Modem.

Bottom line - our security sucked and something had to be done about it. Before you get started you may wish to review the Pre and Post Firewall Security Scans that were conducted. They illustrate the gaping holes left by simply using some "firewall" software. You really need a hardened Operating System in conjunction with the software.

By the way. I would be remiss if I did not mention that the first step in any good security policy is secrecy. It is actually quite insane for me to share with the world what type of firewall I am using, so you don't need to make the same mistake. I am only doing this because I know there are a lot of people out there who could potentially benefit from the step by step instructions.

Table of Contents

  1. Phase 1: The Search for Software
  2. Phase 2: The Search for Hardware
  3. Phase 3: Preparing for Install
  4. Phase 4: The Firewall Install
  5. Phase 5: Configuring Workstations
  6. Phase 6: Daily Use
  7. Issues: Issues and Afterthoughts
  8. Resources

Please note that this document is extensively hyperlinked. Everything you need for reference purposes should be right here should you need to print this document out, but that shouldn't discourage you from following links to the many interesting pictures and Web sites while you are here.

Phase 1: The Search for Software

The revelations above turned my attention towards finding a suitable replacement to our previous network security which consisted of a Windows98 PC with dual NICs running a combination of BlackICE Defender (Sucks bad) and Conseal PC Firewall (Nice try).

The search for Firewall software included the following sources:

Ultimately, the decision was made to implement the NetBSD/i386 Firewall Project which has been developed/supported by John Sinteur, Bert Driehuis and Joe Morris. The combination was based on the following factors:

Phase 2: The Search for Hardware

Initially, I began rummaging through my spare parts. I had enough to build a tower system with a 400Mhz Celeron, SDRAM and 6 Gb drive. However, I really didn't want to waste that good hardware on a box that just plain didn't need it. I'd rather waste it by putting together another completely unnecessary workstation to play with.

Instead, I turned to an old IBM 486 that was previously gathering dust in a box of relics (sitting right beside my trusty 286 laptop and TI99/4a). The following are the Firewall Machine details, complete with links to Photographic evidence:

To be honest, I only used this relic of a machine as a proof of concept. Here are some details for the rest of the Network:

Phase 3: Preparing for Install

In order to be prepared for the installation:

  1. I first downloaded and created the NetBSD Firewall install Boot disk.
  2. I made sure there was nothing on the old PS/1 that I wanted to keep since the hard drive was going to be wiped clean.
  3. Next, I opened the case on the PS/1 and removed ALL peripherals (CD ROM, Sound Card, Modem).
  4. I installed two Network Interface Cards in the machine
  5. I made note of the MAC Addresses of each NIC card. If you cannot do this prior to install you will have to use trial and error during install.
  6. I installed an additional 8 MB of RAM, since it previously only had 4 MB.
  7. I made note of the physical Characteristics of the Hard Drive (Cylinders/Heads/Sectors).
  8. I went to the Shields UP! web site and ran a scan on my network with my current security. It was pathetic...
  9. I gathered the following information about my Internet Service Provider and wrote it down:

Phase 4: The Firewall Install

With the exception of a few issues noted later on, the installation was a breeze. Just to walk you through it graphically, so you know what to expect should you attempt this install, I took digital pictures of many of the key steps along the way. I appologize if some of them are a bit blurry, but I'm no photographer and trying to hold the camera still when you aren't using a flash can be difficult.

First of all, you need to hook a Cat 5 cable from your Cable (DSL/T1) Modem/Router to one of the Ethernet cards and make note of the MAC address of that card. The other Ethernet card should be plugged into your Hub/Switch. REMEMBER, when you are hooking two machines directly together from NIC to NIC without using a hub you must use a Crossover Cable. This is a special cable that has one of the wires switched from a standard Ethernet cable. So, don't get this one mixed up with the others! You probably already had it going from your Cable Modem into your PC. Remove one end of it from the PC and plug it into the firewall.

Initially we start the software installation out by creating a boot disk on a 3.5" floppy. This is very simple. You download the "Disk Image", which is a mirror copy - sector by sector- of an original, and install it onto a floppy disk. Follow the instructions at http://www.dubbele.com/getting_software_ready.html. Please note that you cannot simply copy the Disk Image onto the disk. You MUST follow the instructions to create the disk.

After creating the floppy disk, you have done 1/2 of the work you are going to have to do! Now, simply place it in the disk drive of the new Firewall machine, while it is turned off, and turn it on. As the computer boots up it will read the Operating System off of the floppy disk and begin booting into a NetBSD interface. It will look like this (click to enlarge any of these pics):

Full sized image is 83kb.

Initial Boot Screen

The first thing that appears is a Boot Menu. Choose either the Fixed or Dynamic IP address option. This installation used a Fixed IP address. If anyone else trys this with a Dynamic IP address and wishes to notate the process I will be happy to post that information here with full credit given.

Full sized image is 83 kb.

Boot Menu Screen

After choosing a Fixed or Dynamic IP system, the Install is getting closer to formatting the hard drive and beginning installation of the Operating System. WARNING: This is when you wish you had followed my earlier advice to make sure that got everything you wanted off this machine. Choose the menu option to continue and set up the hard drive.

Full sized image is 54 kb.

Erase Disk Confirmation

Next the Disk Select menu will appear. You may either use the automatic settings that were detected, or you may input your Hard Drives physical characteristics by hand.

Full sized image is 45 kb.

Disk Select Menu

After setting the physical characteristics of the drive, partitions to be created are displayed. This is honestly the last chance to get anything you need off the drive. You can still cancel the install and walk away at this point.

Full sized image is 58 kb.

Partition Menu

Let er Rip! Tell it to go ahead and create the Firewall.

Full sized image is 48 kb.

Last Chance Menu

The old drive data is now gone and the new Partitions are in place.

Full sized image is 62 kb.

Format Complete

The next step requires you to answer questions about the Internet Service Provider that were gathered previously. Simply plug in the data...

Full sized image is 66 kb.

Enter ISP Info

And Confirm.

Full sized image is 60 kb.

Confirm ISP Info

OK folks. At this point, hopefully you will be proceeding to the next step: Downloading the full installation. But in case you encounter an issue there are a few things for you to double check:

At this point, hopefully the machine has gone online and begun downloading the Operating System. If you see this, you are basically home free! Go get a beer or a coke and wait for it to finish.

Full sized image is 59 kb.

Downloading...

Once the installation has finished downloading (about 14 MB) it has to unpack the archive. Once this has completed, the installer asks for input to continue. I am not really sure why, but I presume that if there were any errors it would need to go back online to attempt a fresh download or something... Anyway, tell it OK.

Full sized image is 106 kb.

Unpacked...

Next, the unpacked archive has to be compiled into an actual OS. This took about 30 minutes on my very slow old 486. Presumably on a Pentium class machine this could happen in a couple of minutes.

Full sized image is 50 kb.

Making...

Now you are Done! Remove the floppy from your 3.5" Drive.

Full sized image is 64 kb.

Done!

Simply instruct the Firewall to reboot, and then log in for the first time following these instructions: http://www.dubbele.com/cheking_works.html.

Full sized image is 64 kb.

Done!

After all of that stress, you can sit back and stare out my window at the backyard...

Full sized image is 212 kb.

My Back Yard.

Phase 5: Configuring Workstations

Coming soon... Step by step instructions on configuring Win95/98/2000 (and maybe BeOS and possibly even some Unix variant) to access the Internet through the Firewall.

For now, check http://www.dubbele.com/home_computer.html for the basics.

If you are a Newbie to Networks, you may want to check out my old document on how to set up a network. After you do so, just remember that your new GATEWAY IP address is 192.168.1.250.

Phase 6: Daily Use

One of the benefits of running a Unix based Firewall is that the operating system is not going to crash on a daily basis like Windows platforms do. As a result, there is not much to do on a daily basis. Once you boot up the machine, you can log in as ROOT and experiment with basic Unix commands if you like, but thats about all the machine does.

From my experience with other Unix variants (Linux, BSD) this box will probably run great for months at a time without ever rebooting. So, you aren't going to experience the joy of constantly messing with it. :-)

I recommend you go out and get a book about Unix like I did.

UNIX for Dummies

Resources

Reference Sites:

Firewalls:

Site Scanning Services:

Bandwidth / Throughput Testing Services:

Home Networking Tutorials:

Speeding up your Cable / DSL Connection:

Issues: Issues and Afterthoughts

The After Thoughts

There were a few issues encountered which made this particular installation tricky. Anyone who is going to install a foreign operating system, especially on hardware that they are uncertain about, is likely to encounter unusual circumstances. For this reason, I recommend that anyone who wishes to duplicate this installation take all appropriate precautions to have backup plans in place.

Philosophically speaking, this was basically a game for me. I am a very experienced systems administrator who has literally built somewhere on the order of 1000+ PCs from scratch. Remember that in life we pay for everything. If you are reading this because you want a FREE firewall, and you intend to use the cheapest hardware you can find, I hope you are very experienced. Because cutting costs by purchasing cheap NIC cards, using old hardware, etc. will likely cost you time and frustration.

The Issues

Other Random Issues

I have an unusual performance issue going on now. Previously I was using one of my machines as a proxy/firewall and all of my machines performed pretty good. After redoing the LAN to send all traffic through the firewall, I was experiencing very poor performance from both of my Windows machines.

I finally went to speedguide.net and downloaded some scripts to change my registry settings to optimize performance for the @Home network. Now, on my Win2000 machine, it is faster than it has ever been in the past. However, nothing I can do to my Win98 machine will speed it up.

I have changed settings out the wazoo, and even blanked the hard drive and reloaded everything. Still, it bogs down even checking e-mail! Of course, when I transfer files within the LAN it performs fine, so I have ruled out the NIC, cable, and port on the hub. This probably doesn't have to do with the Firewall, but I am not sure...

The latest development is that I installed a Proxy Server on my Win2k machine and route all of the Win98 machine requests through it. Now the Win98 machine hauls ass... but really it is the Win2k machine doing it. I have spent HOURS changing registry settings and experimenting with the Win98 machine to no avail.

I kind of suspect that the Firewall has some settings that are not matching what are going on either with my LAN or @Home. If anyone knows how to change MTU, TTL, RWIN and other performance settings for Unix, Please let me know how!

During the Firewall software installation the box was getting roughly 600 Kbps to the install server. I have since managed to get 3.4Mbps from the Win2k machine going through the firewall to supernews.com

3.4Mb Throughput Pic



  1. Phase 1: The Search for Software
  2. Phase 2: The Search for Hardware
  3. Phase 3: Preparing for Install
  4. Phase 4: The Firewall Install
  5. Phase 5: Configuring Workstations
  6. Phase 6: Daily Use
  7. Issues: Issues and Afterthoughts
  8. Resources


This page last updated 4/11/2000 at
12:00pm by john@pozadzides.com
Copyright 1996-2000© John Pozadzides. All rights reserved.