Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems BSD

ClosedBSD 1.0b Released 72

Posted by timothy from the minimalism dept.
An unnamed reader submits: "Joshua Bergeron released ClosedBSD 1.0B today. ClosedBSD is a firewall which boots off of a single floppy diskette, and requires no hard drive. It is based off of the FreeBSD kernel, and uses ipfw as it's native ruleset manager. Best of all: it is freely available under the BSD License. ClosedBSD also features an advanced curses based configuration utility for designing and managing firewall rulesets: Screenshots available.
This discussion has been archived. No new comments can be posted.

ClosedBSD 1.0b Released More

ClosedBSD 1.0b Released

Comments Filter:
  • Choice is nice, but do we really need n+1 floppy-based firewalls ? It seems like another beta of $nat_fw_kit comes out every other day, often only differentiated by the user interface and nothing else. Seems to me like these guys should pool together and try to merge the best of everyone's toolset.

    • Re:Reduplication of efforts (Score:5, Funny)

      by cetan ( 61150 ) on Monday March 04, 2002 @12:05PM (#3105559) Journal
      Well, do we really need 31 flavors of Linux? :)

    • Re:Reduplication of efforts (Score:4, Interesting)

      by saintlupus ( 227599 ) on Monday March 04, 2002 @02:11PM (#3106480)
      Seems to me like these guys should pool together and try to merge the best of everyone's toolset.

      Probably, but then again, that could be said for any of the millions of other projects out there.

      How many editors do we really need? Window managers? Databases? Web browsers? MP3 encoders? CD players? Etc...

      The big power of using a *nix on my home machine is setting everything up _just_ like I want it, from the shell to the WM to the browser. My Linux box looks completely different from anyone else's that I know, but it works perfectly for me.

      --saint

    • Re:Reduplication of efforts (Score:4, Interesting)

      by NWT ( 540003 ) on Monday March 04, 2002 @02:35PM (#3106658) Homepage
      do we really need n+1 floppy-based firewalls ?
      Perhaps yes, perhaps not ... IMO it's better to get a 1gb harddrive to install the full freebsd distribution, not only a kernel and some stuff, because you'll have a lot more possibilities to play around with ;)
      On the other hand, they're useful, if you need a firewall/gateway solution in very short time ... for example in case of a harddrive failure, you put in the floppy, and your firewall/gw is back up and running in no time!

      Seems to me like these guys should pool together and try to merge the best of everyone's toolset.
      Nope, there i can't really agree ... it's very hard to mix different things together to get one good thing. Suppose you want to buy a new stereo, and you put together the best product from each of the big companies (f.e. the amplifier from JeVeCe, the MP3 player from sonie, the speakers from YXC)... when you put the thing together you'll experience a lot of problems due to incompabilities between the different parts. With software, it's the same, merging is tough and requires a big effort ...

      - Don't get upset, it's just _my_ opinion!
      • IMO it's better to get a 1gb harddrive to install the full freebsd distribution, not only a kernel and some stuff, because you'll have a lot more possibilities to play around with ;)

        And so will the hacker who roots your firewall, thanks to all those possibilities. ; )

        IMO, get a cheap 32MB Compact Flash card and IDE adaptor, install emBSD and watch them try to root it.

        With firewalls, small is best. If you're running any services beyond perhaps ssh, or have non firewall critical binaries or compilers lying around, you're asking for trouble.

    • Re:Reduplication of efforts (Score:4, Insightful)

      by wholesomegrits ( 155981 ) <{wholesomegrits} {at} {mchsi.com}> on Monday March 04, 2002 @04:11PM (#3107452)
      No kidding. I feel like saying FOR FUCKS SAKE, WHY USE A FLOPPY? It's 2002, I think we can move beyond an aged, failure prone media. Read this recent slashdot discussion [slashdot.org] and why I think floppy based distros are shit. It's just a stupid idea.

      What does a new hard disk cost? Peanuts. Is reliablity something that nobody cares about? All the tired arguments "Oh, you only use the floppy at bootup" and "Don't reboot it!" are pointless. Fact is, the thing could fail, and you'd not know it. Besides, does nobody keep log files anymore? I would think that the prevailing common sense would be to keep logfiles and update software now and then.
      • Last time I read something about firewalls (from O'Reilly I guess), it seems just a bad idea to keep the log on the disk in case of an intrusion which breaks everything on that very disk.
      • FOR FUCKS SAKE "Is reliablity something that nobody cares about?" is exactly WHY you would want only a floppy!

        The FACT (not "tired argument") that you only use the floppy at bootup is a totally viable point. You DO only use it at boot, so what exactly is your point about reliability?

        "Fact is thing could fail . . . " blah blah blah. What does that mean? What could fail, the floppy? Yeah, OK. The machine could fail, sure, but it has a far smaller chance of failure with fewer parts (and if you set it up correctly there is monitoring going on.)

        Less moving parts, its that simple. The firewall doesnt need to do any fancy crap, it needs to filter packets, masquerade packets and thats it.

        Software DOES get updated with floppy based systems, you stick in a new floppy and reboot.

        Log files is the only valid point you even come close to making. Yes you want to log. You CAN do that with a floppy based system by storing the logs on a device that is loaded in ram. Of course the logs are lost if reboot, but firewalls dont reboot by accident. Uptime on mine is over 120 days. A cron job tars and compresses the logs and ftps them to "server" that can store the information.

        Overall floppy based "distros" are great for firewall-VPN-gateway-router type applications. In fact what do you think a checkpoint firewall or a cisco router is? These are appliances that boot from a very small device (ROM, etc), have no moving parts and perform routing and firewall functions. Checkpoint is BSD kernel, JUST LIKE this closedBSD project!
        • The point about failure, I believe, is that the floppy could fail without you realizing it, and then you're screwed when you try to reboot/update something, whenever that may happen. (say if there's a power failure, for one) Seems to be a rather minimal problem to me, unless you're prone to "oh shit, it's not working" panic attacks.

          I suppose a hard drive would be a more reliable alternative, but a bit of overkill. Booting from ROM or flash would be optimal.

          Logs can be preserved with a printer, or email/ftp/a different machine.
          • How trivial is it to keep a floppy image on another computer? Floppies are disposable media, I'm always chucking them out and getting a new box. They have become a boot image tool rather than a storage media.

      • Floppy-sized distros can be burned to an EPROM. That means, basically, your OS is on your NIC. IE, driveless boot.

        Reliability? Yup, it's there. Moving parts? Forget it.

      • Advantages of a floppy over a harddrive for a firewall:

        1) if you write-protect a floppy, noone can log in as root and change the write attribute on the mounted partition.

        2) because of 1), if (when) someone cracks the box, they can't install a rootkit or otherwise compromise your binaries (except in memory, in which case the fix is to reinstall by rebooting).

        3) you don't want to keep log files on the firewall anyway. You want to use the syslog facility to log elsewhere where they can be stored out of harm's way. (ideally on a dot matrix printer, less ideally on a computer on the network.) Without a /var partition and minmal binaries, why do you need a hard drive at all?

        It's true that you could use a CDrom for all this instead, but at the same time, you can only tweak the configuration on a CDRW drive so many times, which can be an irritating process in and of itself.

        • 1) if you write-protect a floppy, noone can log in as root and change the write attribute on the mounted partition

          Mount the file system as read only on the HD.

          Without a /var partition and minmal binaries, why do you need a hard drive at all? Reliability

          There are NO advantages to using a floppy. A CD-R, EEPROM (like someone suggested) or hard disk can do everything, but a whole lot better.
      • Hold your horses there now about floppys. Aren't we just now ending the use of punch-cards at voting booths?

  • IPFW vs. IPTables (Score:3, Interesting)

    by silicon_synapse ( 145470 ) on Monday March 04, 2002 @12:26PM (#3105665)
    I've never used/heard of IPFW. How does it compare to IPTables. Do you get the same level of granularity?

    • Re:IPFW vs. IPTables (Score:3, Informative)

      by NWT ( 540003 )
      First of all: NEtfilter/Iptables is Linux stuff, IPFW is from *BSD!
      I think iptables has a lot more features than IPFW, and of course, the syntax is different!

      Another interesting thing is that the first Linux packet filter was a port (done by Alan Cox) from BSD's IPFW to (the Linux) Kernel 1.1!

  • Why reinvent PicoBSD? (Score:1, Interesting)

    by Anonymous Coward
    > man picobsd
    PICOBSD(8) FreeBSD System Manager's Manual PICOBSD(8)
    NAME
    picobsd - floppy disk based FreeBSD system

    SYNOPSIS
    picobsd [options] [floppy-type [site-name]]

    DESCRIPTION
    picobsd is a script which can be used to produce a minimal implementation
    of FreeBSD (historically called PicoBSD) which typically fits on one
    floppy disk, or can be downloaded as a single image file from some media
    such as CDROM, flash memory, or through etherboot.

    • Re:Why reinvent PicoBSD? (Score:2, Informative)

      by Anonymous Coward
      closedbsd has a full menu front end for configuring firewall rules, and an init(8) replacement that looks like it might actually *work*.. this differs from picobsd in many ways.

  • CD-ROM based distribution (Score:4, Insightful)

    by MavEtJu ( 241979 ) <[gro.ujtevam] [ta] [todhsals]> on Monday March 04, 2002 @04:37PM (#3107712) Homepage
    I'm sorry but it is months ago since I've used a floppy. And that was to test out PicoBSD. I would be much more happy to see a bootable cd-rom based thingie, which would allow me to put some bigger stuff on it, like sshd, tcpdump, trafshow, ngrep et al. Despite that it is only a firewall, I need these tools to debug stuff.
    • What about both?
      A CDROM for the big stuff and a floppy for the config stuff. You can then flip the write protect tab when you get the setup the way you want.
      A password could even be set on the floppy which is encrypted with the config file to keep everyone else from looking at the config file on the disk and devising breaks.
      That way someone couldn't drop by to copy the disk, go home and analyze your setup and devise breaks on a private setup until it works.

    • A CD-ROM would not let you put anything on the system. You need a hard drive for that. Bootable CD-ROMs are based off of Floppy images (el-torito standard for x86), so there is no reason you couldn't just burn the floppy image to a CD with your custom setup of tcpdump, ngrep et al.

      There are some that would say you shouldn't be running these applications from your filewall anyway, but from another machine on your network. The only reason utilities would need to be on your firewall is to measure the kinds of traffic outside of your network, and that would still be better to run from an external workstation. Such complexity might lead to your firewall failing.
      • There are some that would say you shouldn't be running these applications from your filewall anyway, but from another machine on your network. The only reason utilities would need to be on your firewall is to measure the kinds of traffic outside of your network, and that would still be better to run from an external workstation.

        I don't agree with your reasoning. If you are investigating a normal problem on your network, you can do it this way. If you are investigating a normal problem outside your network, you can do it this way.

        But if you are investigating a problem between your network and outside your network, you need to do it on the firewall because that's where the magic is happening!

        You *might* see what is not working in your network, you *might* see what is not working outside your network, but you will have to check it on the box where the address-translation is done, where the firewall rules are checked, which has a list of access-rules. If your machine doesn't have the tools to debug you're screwed++ and in deeper trouble than the one you're in when you are running into trouble.
    • Is there a cd-rom based distribution of Linux?
      If so, where can one find it?
  • Most people I know (including myself) have their firewall/modems/network kit at home stacked in a (broom)closet. Why not name it ClosetBSD? :-)

    And secondly, what is this disto do extra what I can't duplicate using PicoBSD? Only a front-end menu?

  • On their site on the contributions page this guy points to the FreeBSD project and the picoBSD project. I'm glad to see this, give credit where credit is deserved. Nice work on his part, and send some of the money back to the FreeBSD guys so they can keep up the great work they're doing. Props guys...


  • Here's the link. Looks fairly interesting for comparison to ClosedBSD1.0 I imagine that ClosedBSD1.0 is going to have nicer "interface" as it is specialized. For those of you who are antsy about floppies, you might have to pay for that predilection in more config time.

    http://bsdtoday.com/2002/March/Features646.html

Slashdot Top Deals

Remember to say hello to your bank teller.

Close