The home page

The latest version

 How to get NetBSD Firewall
Supported hardware
Customer Reviews

Questions you should have

 Is it useful for me?
What information do I need?
What hardware do I need?
What software do I need?
How do I plug it all in?

How to install it

 Getting the hardware ready
Getting the software ready
The installation process
Checking if it works
Changing your home computer
What's next (possibble extra's)?
CD and Donations

Full technical disclosure

 How to get the sources
Who we are

Related technical resources

  Sites with information
Sites with tools
intrusion detection software

Let us know!

 Tell us you installed it
Any problems? Let us know!

Related technical resources


If you have any information you think should be on this page, tell me.

Sites with similar firewalls:

Erik Winkler has a setup for 68K Macintosh computers:

NetBSD firewall for 68K Macs


Sites with information:

Security focus is a news web site that keeps an eye out on technical issues related with security, break-in attempts, etc. This is a very valuable resource if you want to stay current:


Here is a list of Firewall vendors and their products.


IP Filter Based Firewalls HOWTO:

Unix security checklist



Sites with tools:


Some ADSL and cable modem provider want you to run PPP over ethernet to connect to their modem. Here's where you can find a version for NetBSD and Linux.


Bastille Linux 1.0

by Bastille Linux Project < >

Platforms: Linux

Bastille Linux is aimed primarily at non-security-experts, who are less knowledgeable about security, but want to run a more secure distribution of Linux. Our goal is to build a more secure distribution based on an well-supported existing distribution. Our solution currently takes the form of a Universal Hardening Program which must be run immediately after installation of Redhat 6.0.



nmap is a utility for port scanning large networks, although it works fine for single hosts. The guiding philosophy for the creation of nmap was TMTOWTDI (There's More Than One Way To Do It). This is the Perl slogan, but it is equally applicable to scanners. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do all this with one scanning mode. And you don't want to have 10 different scanners around, all with different interfaces and capabilities.

The NetBSD package is here.


The Firewall Toolkit is one of the most often used freely available set of firewall tools:


Wietse Venema's wrote a number of widely used tools that are excellent. His wrapper functions are among the most used Firewall Tools.

Wietse's tools and papers can be found here:

Intrusion detection tools


Tripwire is a file and directory integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Any differences are flagged and logged, including added or deleted entries. When run against system files on a regular basis, any changes in critical system files will be spotted -- and appropriate damage control measures can be taken immediately. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain free of unauthorized modifications if Tripwire reports no changes.


Deception Toolkit

The Deception Toolkit is a set of software that makes your computer look like it is running something it is not, and is meant to confuse and/or track crackers. Read the site for full information.


PortSentry is probably the most often used network intrusion detection tool.


Snort is a new network intrusion detectioon tool that is rapidly becoming popular.

Frequently Asked Questions on Intrusion detection software


Other interesting information


Macintosh users who want firewall protection should consider DoorStop Personal Edition from Open Door Networks, Inc. DoorStop PE is inexpensive, easy-to-use software that runs on the Mac it's protecting and lets you deny TCP access to specific (or all) services on that Mac based on the user's IP address. DoorStop can also log allowed and denied connection attempts, and notifiy you when such attempts occur.


Deep Reading is a site with some excellent reading material that should give you some insight on why it is so difficult to get things really secure.

Books on security and Intrusion detection

Although O'Reilly probably has the best books there are on this subject, you might want to look into these as well:


Network Intrusion Detection: An Analyst's Handbook

by Stephen Northcutt

ISBN: 0735708681


Maximum Linux Security

Publisher: SAMS Publishing

Author: Anonymous

ISBN: 0-672-31670-6

First Printing: September 1999