The home page

The latest version

 How to get NetBSD Firewall
Supported hardware
Customer Reviews

Questions you should have

 Is it useful for me?
What information do I need?
What hardware do I need?
What software do I need?
How do I plug it all in?

How to install it

 Getting the hardware ready
Getting the software ready
The installation process
Checking if it works
Changing your home computer
What's next (possibble extra's)?
CD and Donations

Full technical disclosure

 How to get the sources
Who we are

Related technical resources

  Sites with information
Sites with tools
intrusion detection software

Let us know!

 Tell us you installed it
Any problems? Let us know!

What's next?

There's plenty of things we want to do next. For example, intrusion detection tools, or adding mail and web services to your setup.


Currently, we're simply working on getting all the details right, and making sure what we have now runs on as many systems as we can.

For the next step, we need you to tell us what you would like to see. Mail us!

If you'd like to know more about NetBSD, install more than one firewall, or show your appreciation for our work, visit our CD and domation page.


If you want to run a web server behind your firewall, add a line to /etc/ipnat.conf to redirect to the web site:

rdr ep0 port 80 -> port 80

(where is the external address, the web server address, ep0 the external network interface. Port 80 is the web server port)

Then type "ipnat -f /etc/ipnat.conf" or alternatively restart the firewall

If you want to run other servers behind your firewall, just use the port number that service uses instead of 80 - but remember, every hole you punch in the firewall like this exposes a little bit of your systems; make sure you know the server you're using is secure. For example, if you add a mail server (port 25), make sure it cannot be used to send out spam. If you're not sure, just mail us with your questions.


We've put snort, the open source intrusion detection software, into the distribution - all you have to do is install detection rules, enable it, and here's how to do it:

edit /etc/rc.local, add a line like this:

/usr/local/bin/snort -D -c /usr/local/share/snort/rules.conf -s

(that should start snort on system startup)

Of course, this assumes you have created a file "rules.conf" in the location specified above. There's several rules files available on the snort web site.

Note: snort is not for the faint of heart. You'll get far more alarms than you expect, and virtually all of them will be harmless attempts to scan for windows shares. Harmless, because that's what the firewall is for!!

We received an extension to this snort package from Ken McKinlay, who uses tcpdump and some clever scripts to make a nice intrusion detection setup. If you're not afraid of experimenting, and know your way around shell scripts, download this package:

  • log on as root
  • type: "ftp"