Questions you should have
How to install it
Full technical disclosure
Related technical resources
Let us know!
There's plenty of things we want to do next. For example, intrusion detection tools, or adding mail and web services to your setup.
Currently, we're simply working on getting all the details right, and making sure what we have now runs on as many systems as we can.
If you'd like to know more about NetBSD, install more than one firewall, or show your appreciation for our work, visit our CD and domation page.
If you want to run a web server behind your firewall, add a line to /etc/ipnat.conf to redirect to the web site:
rdr ep0 220.127.116.11/32 port 80 -> 192.168.1.101 port 80
(where 18.104.22.168 is the external address, 192.168.1.101 the web server address, ep0 the external network interface. Port 80 is the web server port)
Then type "ipnat -f /etc/ipnat.conf" or alternatively restart the firewall
If you want to run other servers behind your firewall, just use the port number that service uses instead of 80 - but remember, every hole you punch in the firewall like this exposes a little bit of your systems; make sure you know the server you're using is secure. For example, if you add a mail server (port 25), make sure it cannot be used to send out spam. If you're not sure, just mail us with your questions.
We've put snort, the open source intrusion detection software, into the distribution - all you have to do is install detection rules, enable it, and here's how to do it:
edit /etc/rc.local, add a line like this:
/usr/local/bin/snort -D -c /usr/local/share/snort/rules.conf -s
(that should start snort on system startup)
Of course, this assumes you have created a file "rules.conf" in the location specified above. There's several rules files available on the snort web site.
Note: snort is not for the faint of heart. You'll get far more alarms than you expect, and virtually all of them will be harmless attempts to scan for windows shares. Harmless, because that's what the firewall is for!!
We received an extension to this snort package from Ken McKinlay, who uses tcpdump and some clever scripts to make a nice intrusion detection setup. If you're not afraid of experimenting, and know your way around shell scripts, download this package: