On Wed, Mar 14, 2001 at 01:31:01PM -0800, Dennis Eberl wrote:
>
> Yes, that (i.e., security) seems to be Van Rhadt's (if I have his name correct)
^^^^^^^^^^^
Theo de Raadt
> Thanks for pointing out OpenBSD's salability. I hadn't thought of that. Don't laugh,
> but can you get it (qua firewall) down to a diskette (or two) in size a la the Linux
> Router Project (LRP) and its permutations?
>
> Dennis Eberl
I subscribed to the [EMAIL PROTECTED] mailling list for a while, and this question
was asked with a two good answers, which I saved. The first message is a bit
long, but good on the details, the second meaasge takes it a bit further.
Basically, OpenBSD comes with what you need to make a floppy distro, but leaves
you with an open root console.
<[EMAIL PROTECTED]>
On Mon, 12 Feb 2001, Rod... Whitworth wrote:
> I want to put together a box to act as a filtering firewall/ NAT box with
> nothing else that is avoidable.
use our built-in floppy making capabilities. Here's my list of needed
programs but you can trim it even further. Look in
/usr/src/distrib/floppies. The first is the 'list' file and the 2nd is the
file that makes the 'instbin' file; ie. the one program that does
everything. And finally the Makefile which is only slightly different than
the stock one.
# copy the crunched binary, link to it, and kill it
COPY ${OBJDIR}/instbin instbin
LINK instbin bin/cat
LINK instbin bin/df
LINK instbin bin/echo
LINK instbin bin/hostname
LINK instbin bin/kill
LINK instbin bin/ln
LINK instbin bin/ls
LINK instbin bin/pwd
LINK instbin bin/ps
LINK instbin bin/rm
LINK instbin bin/sh bin/ksh
LINK instbin bin/stty
LINK instbin bin/sync
LINK instbin bin/test bin/[
LINK instbin sbin/dump
LINK instbin sbin/fsck sbin/fsck_ffs
LINK instbin sbin/halt sbin/reboot
LINK instbin sbin/ifconfig
LINK instbin sbin/init
LINK instbin sbin/ipf
LINK instbin sbin/ipfstat
LINK instbin sbin/ipnat
LINK instbin sbin/mount
LINK instbin sbin/mount_ffs
LINK instbin sbin/ping
LINK instbin sbin/route
LINK instbin sbin/umount
LINK instbin usr/bin/diff
LINK instbin usr/bin/grep
LINK instbin usr/bin/head
LINK instbin usr/bin/last
LINK instbin usr/bin/less usr/bin/more
LINK instbin usr/bin/login
LINK instbin usr/bin/netstat
LINK instbin usr/bin/sed
LINK instbin usr/bin/sudo
LINK instbin usr/bin/tail
LINK instbin usr/libexec/getty
LINK instbin usr/sbin/sysctl
LINK instbin usr/sbin/syslogd
LINK instbin usr/sbin/ipmon
SPECIAL /usr/sbin/chown root.bin instbin
SPECIAL /bin/chmod 555 instbin
SPECIAL /bin/rm instbin
SPECIAL /usr/bin/chflags schg sbin/init
# `internal' crunchgen links
ARGVLINK sh -sh
# copy the MAKEDEV script and make some devices
COPY MAKEDEV dev/MAKEDEV
SPECIAL cd dev; sh MAKEDEV gatekeeper
SPECIAL /bin/rm dev/MAKEDEV
# various files that we need in /etc for the install
COPYDIR etc etc
COPY termcap usr/share/misc/termcap
SYMLINK /etc/termcap usr/share/misc/termcap
COPYDIR usr/local usr/local
COPY usr/bin/install usr/bin/install
COPY usr/sbin/timed usr/sbin/timed
SPECIAL /usr/bin/chflags schg usr/bin/install usr/sbin/timed
COPYDIR root root
COPYDIR usr/operator usr/operator
SPECIAL /usr/bin/chflags -R schg etc/ usr/local/ root/ usr/operator/
==========================
# $OpenBSD: instbin-nokrb.conf,v 1.10 1997/12/02 02:30:01 deraadt
Exp $
#
# instbin-nokrb.conf - unified binary for the inst/upgr floppies
#
srcdirs distrib/special bin sbin usr.bin/less usr.bin usr.sbin
srcdirs gnu/usr.bin/sudo gnu/usr.bin libexec sys/arch/i386/stand
progs cat df diff echo
progs fsck_ffs getty head hostname
progs ifconfig init kill last less ln logger login ls
progs mount mount_ffs
progs netstat ksh pwd ps reboot rm route
progs sed stty sudo sync sysctl syslogd tail test umount
progs dump grep
progs ipf ipfstat ipmon ipnat
# restore, tar/pax, on maint floppy
ln fsck_ffs fsck
ln less more
ln ksh sh
ln ksh -sh # init invokes the shell this way
ln test [
ln reboot halt
libs -lutil -lm -ltermlib -lkvm -lskey -lcompat
=======================
# $OpenBSD: Makefile,v 1.27 1997/10/07 05:36:05 deraadt Exp $
TOP= ${.CURDIR}/..
.include "${TOP}/Makefile.inc"
IMAGE= mr.fs
CBIN?= instbin
.if (${KERBEROS} == "yes")
CRUNCHCONF?= ${.CURDIR}/${CBIN}.conf
.else
CRUNCHCONF?= ${.CURDIR}/${CBIN}-nokrb.conf
.endif
LISTS= ${.CURDIR}/list
MOUNT_POINT= /mnt
MTREE= ${.CURDIR}/mtree.conf
FS= floppy${REV}.fs
VND?= svnd0
VND_DEV= /dev/${VND}a
VND_RDEV= /dev/r${VND}a
VND_CRDEV= /dev/r${VND}c
PID!= echo $$$$
REALIMAGE!= echo /var/tmp/image.${PID}
LISTFLOPPY= ${.CURDIR}/list_floppy
# for sshd and scp support
CFLAGS+= USA_RESIDENT=YES --without-rsh --without-libwrap
LDFLAGS+= -static
LDSTATIC+= -static
all: ${FS}
${FS}: bsd.gz
dd if=/dev/zero of=${REALIMAGE} bs=10k count=144
vnconfig -v -c ${VND} ${REALIMAGE}
disklabel -w -r ${VND} floppy3
newfs -m 0 -o space -i 524288 -c 80 ${VND_RDEV}
mount ${VND_DEV} ${MOUNT_POINT}
TOPDIR=${TOP} CURDIR=${.CURDIR} OBJDIR=${.OBJDIR} \
TARGDIR=${MOUNT_POINT} sh ${TOP}/runlist.sh ${LISTFLOPPY}
/usr/mdec/installboot -v -s 18 -h 2 ${MOUNT_POINT}/boot \
${DESTDIR}/usr/mdec/biosboot ${VND_CRDEV}
@echo ""
@df -i ${MOUNT_POINT}
@echo ""
umount ${MOUNT_POINT}
vnconfig -u ${VND}
cp ${REALIMAGE} ${FS}
rm ${REALIMAGE}
DISKTYPE= rdroot
NBLKS= 4046
# minfree, opt, b/i trks, sects, cpg
NEWFSARGS= -m 0 -o space -c 16 -i 4096
bsd.gz: bsd.rd
cp bsd.rd bsd.strip
strip bsd.strip
gzip -c9 bsd.strip > bsd.gz
bsd.rd: ${IMAGE} bsd rdsetroot
cp bsd bsd.rd
${.OBJDIR}/rdsetroot bsd.rd < ${IMAGE}
bsd:
cd ${.CURDIR}/../../../../sys/arch/i386/conf && config GATEKEEPER
cd ${.CURDIR}/../../../../sys/arch/i386/compile/GATEKEEPER && \
make clean && make
cp ${.CURDIR}/../../../../sys/arch/i386/compile/GATEKEEPER/bsd bsd
${IMAGE}: ${CBIN} rd_setup do_files rd_teardown
rd_setup: ${CBIN}
dd if=/dev/zero of=${REALIMAGE} bs=512 count=${NBLKS}
vnconfig -v -c ${VND} ${REALIMAGE}
disklabel -w -r ${VND} ${DISKTYPE}
newfs ${NEWFSARGS} ${VND_RDEV}
fsck ${VND_RDEV}
mount ${VND_DEV} ${MOUNT_POINT}
rd_teardown:
@df -i ${MOUNT_POINT}
-umount ${MOUNT_POINT}
-vnconfig -u ${VND}
cp ${REALIMAGE} ${IMAGE}
rm ${REALIMAGE}
rdsetroot: ${TOP}/common/rdsetroot.c
${HOSTCC} -o rdsetroot ${TOP}/common/rdsetroot.c
# -DDEBUG
unconfig:
-umount -f ${MOUNT_POINT}
-vnconfig -u ${VND}
-/bin/rm -f ${IMAGE}
.PRECIOUS: ${IMAGE}
install:
cp ${FS} ${DESTDIR}/snapshot/${FS}
${CBIN}.mk ${CBIN}.cache ${CBIN}.c: ${CRUNCHCONF}
crunchgen -D ${BSDSRCDIR} -L ${DESTDIR}/usr/lib \
-c ${CBIN}.c -e ${CBIN} -m ${CBIN}.mk ${CRUNCHCONF}
${CBIN}: ${CBIN}.mk ${CBIN}.cache ${CBIN}.c
make -f ${CBIN}.mk all
do_files:
mtree -def ${MTREE} -p ${MOUNT_POINT}/ -u
TOPDIR=${TOP} CURDIR=${.CURDIR} OBJDIR=${.OBJDIR} \
REV=${REV} TARGDIR=${MOUNT_POINT} sh ${TOP}/runlist.sh
${LISTS}
Clean cleandir:
/bin/rm -f core ${IMAGE} ${CBIN} ${CBIN}.mk ${CBIN}*.cache \
*.o *.lo *.c bsd bsd.rd bsd.gz bsd.strip floppy*.fs rdsetroot
.include <bsd.obj.mk>
.include <bsd.subdir.mk>
--
Network Security Technologies Inc. - Commercial support for OpenBSD
www.netsec.net (703) 561-0420 [EMAIL PROTECTED]
"Government is not reason; it is not eloquence; it is force!
Like fire, it is a dangerous servant and a fearful master."
- George Washington
>>>>> On Mon, 5 Mar 2001 10:04:45 -0500 (EST), Ken <[EMAIL PROTECTED]>
>said:
Ken> The Kindofblue project is actually a modification of the
Ken> "boot floppy" building scripts that are in the source
Ken> tree... Everything is there to use crunchgen an make like a
Ken> single floppy distro, however, you could be looking at a 2.88
Ken> floppy and a very stripped out kernel just to get basic
Ken> routing and firewalling.
Oh, you don't need a 2.88. I've got a perfectly functional
router/firewall appliance on a 1.44. I run a junkyard ISA-bus
486SX/33, with 8MB of RAM and three NICs of two flavors (ne/we).
Uplink speed is 128kb, DMZ and internal nets 10Mb. I run a mix of
bimap and port NAT, using proxy ARP to make the bimap work, and the
in-kernel ftp proxy for active-mode-only internal clients.
crunchgen/modified bsd.rd is the way I went, following Matthew
Patton's path, um, about two years ago. The most significant change I
made was to include netcat, and pull netstart and the ipf/ipnat rules
from an internal web server. I also dropped sshd. If something goes
wrong (which is rare), I just powercycle it.
I get uptimes of months before I decide to tweak something, since I
ripped out the (removed in -current) OBSD hostname-cache in ipmon.
Everything syslogs to an internal host, and I run timed to sync things
up across the internal (timesource ntp'd) net, the FW (slaved to
internal), and the DMZ hosts (slaved to the FW).
Ken> Also remember if there is no /etc/rc then one the kerenel is
Ken> done booting, it spawns a shell and starts the appropriate
Ken> .rc for that shell (see kindofblue docs for specifics i cant
Ken> remember off the top of my head" , but with this type of set
Ken> up a small script could effecticvly bring then entire server
Ken> up, only issue here tho is the fact that you now have a root
Ken> shell active one the .rc is finnished processing and this
Ken> doesn't bode well for physical security
This is a bother with 2.8's newly stripped-down init. It hasn't
irritated me sufficent to solve the dilemma of choosing between:
- an rc script which starts everything, but leaves you without a
shell prompt on the appliance
- an rc script which doesn't run the startup but *does* leave you
with a shell prompt (from which you can run a startup script).
If I'm screwing around with stuff, I choose the former, and rewire to
the latter when I'm happy with things.
Unfortunately, as has been pointed out, crunchgen/instbin *is* a bit
of a black art. One particular tweak: I had to symlink
/usr/src/usr.sbin/timedd/ to usr/src/usr.sbin/timed/timed/ and spec
timedd in the crunchgen "list" to get it all to come out right.
-jml
