This document is also available in a multi-page format. This single page version is aprox. 250kb.
After undergoing a serious internal scrutiny of our network security on our Home LAN it was determined that there were weaknesses that could be exploited. At the same time, it was observed that on almost an hourly basis attacks aimed at my network could be observed originating from countries all over the world and coming in through our Cable Modem.
Bottom line - our security sucked and something had to be done about it. Before you get started you may wish to review the Pre and Post Firewall Security Scans that were conducted. They illustrate the gaping holes left by simply using some "firewall" software. You really need a hardened Operating System in conjunction with the software.
By the way. I would be remiss if I did not mention that the first step in any good security policy is secrecy. It is actually quite insane for me to share with the world what type of firewall I am using, so you don't need to make the same mistake. I am only doing this because I know there are a lot of people out there who could potentially benefit from the step by step instructions.
Please note that this document is extensively hyperlinked. Everything you need for reference purposes should be right here should you need to print this document out, but that shouldn't discourage you from following links to the many interesting pictures and Web sites while you are here.
The revelations above turned my attention towards finding a suitable replacement to our previous network security which consisted of a Windows98 PC with dual NICs running a combination of BlackICE Defender (Sucks bad) and Conseal PC Firewall (Nice try).
The search for Firewall software included the following sources:
Ultimately, the decision was made to implement the NetBSD/i386 Firewall Project which has been developed/supported by John Sinteur, Bert Driehuis and Joe Morris. The combination was based on the following factors:
Initially, I began rummaging through my spare parts. I had enough to build a tower system with a 400Mhz Celeron, SDRAM and 6 Gb drive. However, I really didn't want to waste that good hardware on a box that just plain didn't need it. I'd rather waste it by putting together another completely unnecessary workstation to play with.
Instead, I turned to an old IBM 486 that was previously gathering dust in a box of relics (sitting right beside my trusty 286 laptop and TI99/4a). The following are the Firewall Machine details, complete with links to Photographic evidence:
To be honest, I only used this relic of a machine as a proof of concept. Here are some details for the rest of the Network:
In order to be prepared for the installation:
With the exception of a few issues noted later on, the installation was a breeze. Just to walk you through it graphically, so you know what to expect should you attempt this install, I took digital pictures of many of the key steps along the way. I appologize if some of them are a bit blurry, but I'm no photographer and trying to hold the camera still when you aren't using a flash can be difficult.
First of all, you need to hook a Cat 5 cable from your Cable (DSL/T1) Modem/Router to one of the Ethernet cards and make note of the MAC address of that card. The other Ethernet card should be plugged into your Hub/Switch. REMEMBER, when you are hooking two machines directly together from NIC to NIC without using a hub you must use a Crossover Cable. This is a special cable that has one of the wires switched from a standard Ethernet cable. So, don't get this one mixed up with the others! You probably already had it going from your Cable Modem into your PC. Remove one end of it from the PC and plug it into the firewall.
Initially we start the software installation out by creating a boot disk on a 3.5" floppy. This is very simple. You download the "Disk Image", which is a mirror copy - sector by sector- of an original, and install it onto a floppy disk. Follow the instructions at http://www.dubbele.com/getting_software_ready.html. Please note that you cannot simply copy the Disk Image onto the disk. You MUST follow the instructions to create the disk.
After creating the floppy disk, you have done 1/2 of the work you are going to have to do! Now, simply place it in the disk drive of the new Firewall machine, while it is turned off, and turn it on. As the computer boots up it will read the Operating System off of the floppy disk and begin booting into a NetBSD interface. It will look like this (click to enlarge any of these pics):
Full sized image is 83kb.
The first thing that appears is a Boot Menu. Choose either the Fixed or Dynamic IP address option. This installation used a Fixed IP address. If anyone else trys this with a Dynamic IP address and wishes to notate the process I will be happy to post that information here with full credit given.
Full sized image is 83 kb.
After choosing a Fixed or Dynamic IP system, the Install is getting closer to formatting the hard drive and beginning installation of the Operating System. WARNING: This is when you wish you had followed my earlier advice to make sure that got everything you wanted off this machine. Choose the menu option to continue and set up the hard drive.
Full sized image is 54 kb.
Next the Disk Select menu will appear. You may either use the automatic settings that were detected, or you may input your Hard Drives physical characteristics by hand.
Full sized image is 45 kb.
After setting the physical characteristics of the drive, partitions to be created are displayed. This is honestly the last chance to get anything you need off the drive. You can still cancel the install and walk away at this point.
Full sized image is 58 kb.
Let er Rip! Tell it to go ahead and create the Firewall.
Full sized image is 48 kb.
The old drive data is now gone and the new Partitions are in place.
Full sized image is 62 kb.
The next step requires you to answer questions about the Internet Service Provider that were gathered previously. Simply plug in the data...
Full sized image is 66 kb.
And Confirm.
Full sized image is 60 kb.
OK folks. At this point, hopefully you will be proceeding to the next step: Downloading the full installation. But in case you encounter an issue there are a few things for you to double check:
At this point, hopefully the machine has gone online and begun downloading the Operating System. If you see this, you are basically home free! Go get a beer or a coke and wait for it to finish.
Full sized image is 59 kb.
Once the installation has finished downloading (about 14 MB) it has to unpack the archive. Once this has completed, the installer asks for input to continue. I am not really sure why, but I presume that if there were any errors it would need to go back online to attempt a fresh download or something... Anyway, tell it OK.
Full sized image is 106 kb.
Next, the unpacked archive has to be compiled into an actual OS. This took about 30 minutes on my very slow old 486. Presumably on a Pentium class machine this could happen in a couple of minutes.
Full sized image is 50 kb.
Now you are Done! Remove the floppy from your 3.5" Drive.
Full sized image is 64 kb.
Simply instruct the Firewall to reboot, and then log in for the first time following these instructions: http://www.dubbele.com/cheking_works.html.
Full sized image is 64 kb.
After all of that stress, you can sit back and stare out my window at the backyard...
Full sized image is 212 kb.
Coming soon... Step by step instructions on configuring Win95/98/2000 (and maybe BeOS and possibly even some Unix variant) to access the Internet through the Firewall.
For now, check http://www.dubbele.com/home_computer.html for the basics.
If you are a Newbie to Networks, you may want to check out my old document on how to set up a network. After you do so, just remember that your new GATEWAY IP address is 192.168.1.250.
One of the benefits of running a Unix based Firewall is that the operating system is not going to crash on a daily basis like Windows platforms do. As a result, there is not much to do on a daily basis. Once you boot up the machine, you can log in as ROOT and experiment with basic Unix commands if you like, but thats about all the machine does.
From my experience with other Unix variants (Linux, BSD) this box will probably run great for months at a time without ever rebooting. So, you aren't going to experience the joy of constantly messing with it. :-)
I recommend you go out and get a book about Unix like I did.
Reference Sites:
Firewalls:
Site Scanning Services:
Bandwidth / Throughput Testing Services:
Home Networking Tutorials:
Speeding up your Cable / DSL Connection:
There were a few issues encountered which made this particular installation tricky. Anyone who is going to install a foreign operating system, especially on hardware that they are uncertain about, is likely to encounter unusual circumstances. For this reason, I recommend that anyone who wishes to duplicate this installation take all appropriate precautions to have backup plans in place.
Philosophically speaking, this was basically a game for me. I am a very experienced systems administrator who has literally built somewhere on the order of 1000+ PCs from scratch. Remember that in life we pay for everything. If you are reading this because you want a FREE firewall, and you intend to use the cheapest hardware you can find, I hope you are very experienced. Because cutting costs by purchasing cheap NIC cards, using old hardware, etc. will likely cost you time and frustration.
I have an unusual performance issue going on now. Previously I was using one of my machines as a proxy/firewall and all of my machines performed pretty good. After redoing the LAN to send all traffic through the firewall, I was experiencing very poor performance from both of my Windows machines.
I finally went to speedguide.net and downloaded some scripts to change my registry settings to optimize performance for the @Home network. Now, on my Win2000 machine, it is faster than it has ever been in the past. However, nothing I can do to my Win98 machine will speed it up.
I have changed settings out the wazoo, and even blanked the hard drive and reloaded everything. Still, it bogs down even checking e-mail! Of course, when I transfer files within the LAN it performs fine, so I have ruled out the NIC, cable, and port on the hub. This probably doesn't have to do with the Firewall, but I am not sure...
The latest development is that I installed a Proxy Server on my Win2k machine and route all of the Win98 machine requests through it. Now the Win98 machine hauls ass... but really it is the Win2k machine doing it. I have spent HOURS changing registry settings and experimenting with the Win98 machine to no avail.
I kind of suspect that the Firewall has some settings that are not matching what are going on either with my LAN or @Home. If anyone knows how to change MTU, TTL, RWIN and other performance settings for Unix, Please let me know how!
During the Firewall software installation the box was getting roughly 600 Kbps to the install server. I have since managed to get 3.4Mbps from the Win2k machine going through the firewall to supernews.com
This page last updated 4/11/2000 at
12:00pm by john@pozadzides.com
Copyright 1996-2000© John Pozadzides. All rights reserved.
