The home page

The latest version

 How to get NetBSD Firewall
Supported hardware
Customer Reviews

Questions you should have

 Is it useful for me?
What information do I need?
What hardware do I need?
What software do I need?
How do I plug it all in?

How to install it

 Getting the hardware ready
Getting the software ready
The installation process
Checking if it works
Changing your home computer
What's next (possibble extra's)?
CD and Donations

Full technical disclosure

 How to get the sources
Who we are

Related technical resources

  Sites with information
Sites with tools
intrusion detection software

Let us know!

 Tell us you installed it
Any problems? Let us know!

How to get the sources?


All the files listed below are available both for download and on the CD.

There's not much difference between a default NetBSD install, so if you want to reproduce our work, it's probably a good idea to start with a full set of sources from the NetBSD site.

From the NetBSD site, we took the base.tgz, kern.tgz, and etc.tgz installation packages, unpacked them, and deleted a number of files from them. We also modified a lot of text files in the /etc directory, mostly to disable services a firewall does not need, and in some cases, services you definately do not want on a firewall system. To see what we did, download our firewall.tgz, unpack it, and have a look.

We modified the sysinst tool to allow for an easier installation process, and to allow for the fact that the firewall system will have two ethernet cards. Of course, the fact that we already know the network address for the internal network helps. Also, we write a NAT setup file from sysinst, with the right ethernet information in it. The sources are here. For people who know a bit about the source code layout of NetBSD, what you get when you unpack is the set of files that differ from the standard source distibution, in the same layout as you would see them in the standard source code base; not just the sysinst tool, but the few modifications required to get a dhcp client onto the floppies as well, including the slightly modified kernel configuration for the boot floppy. If you just install all NetBSD sources, and install this package on top of it, you'll be set to build our install floppies, which we modified a bit as well.

Also, we built a modified kernel for use with the firewall, again with the purpose of disabling features that are unwanted on firewall systems. The configuration is here.

That's basically all you need to reproduce our work. Should you have any questions, don't hesitate to ask.

What you'll end up with is a Unix system with NAT (network addres translation) set up to translate the private address space on the internal network (192.168.1.x) to the one external address. IP Filters are employed to prevent some network abuse, source routing is disabled, and the internal ftp proxy makes ftp transparent. The kernel has all potential hazards disabled, is built without debuggers and has the security level set to 1. All network daemons are disabled in inetd.conf, syslog starts in secure mode (ignoring UDP packets) and no rpc is started (included portmon).

The previous version, 1.5.0, is of course still available:

The source for the previous version, 1.5.0, is of course still available: