Contributed by jose on from the keepin-it-real-and-real-tiny dept.
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the keepin-it-real-and-real-tiny dept.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By paul () on
Comments
By jose () on monkey.org/~jose/
Comments
By jolan () on
By Matt () on
This sounds like a great idea. can't wait to see it, especially when he gets nat and routing working.
Comments
By Anonymous Coward () on
What's wrong with modifying config/etc/pf.conf to suit your needs?
I made myself a floppy firewall the other month when my mom's drive died - i was housesitting for her, needed my net connection right away, so made a quick and dirty floppy. Then i found Peter's, which was remarkably similar - good work, Peter. One thing missing, though, that i'd have liked and haven't been able to get: an sshd that fits on the floppy as well. Anyone have anything like that?
Comments
By Marcin () kandelabr@netscape.net on mailto:kandelabr@netscape.net
still lacking in functionality/feature set.
Remember that these packages are not as popular/known as ssh, what decreases the amout of
testing, blah, blah, blah, no bloat, blah, blah, small, blah, secure, blah, blah.
Dropbear SSH Server:
http://matt.ucc.asn.au/dropbear/dropbear.html
Features
* A small memory footprint - Dropbear can compile to a 110kB statically linked binary with uClibc (and only minimal options selected).
* Implements X11 forwarding, and authentication-agent forwarding for OpenSSH clients
* Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication
* Features can easily be disabled when compiling to save space.
Platforms
The following platforms are known the work properly:
* Linux - Debian Woody, Debian Slink, uClibc >=0.9.17, and have had reports that dietlibc works too
* Solaris 8 x86
* FreeBSD.
* Tru64 5.1 (using prngd for entropy)
It shouldn't be hard to get it to work on other POSIX platforms, it is mostly a case of setting up the configure options correctly.
lsh:
lsh is a free implementation (in the GNU sense) of the ssh
http://www.lysator.liu.se/~nisse/lsh/
Features
lsh does not only provide more secure replacements for telnet, rsh and rlogin, it also provides some other features to make it convenient to communicate securely. This section is expected to grow with time, as more features from the wish-list are added to lsh. One goal for lsh is to make it reasonable easy to extend it, without messing with the core security functionality.
lsh can be configured to allow login based on a personal key-pair consisting of a private and a public key, so that you can execute remote commands without typing your password every time. You can also use Thomas Wu's Secure Remote Password Protocol (SRP). Kerberos support is on the wish list but not yet supported (see Kerberos).
The public-key authentication methods should also be extended to support Simple Public Key Infrastructure (SPKI) certificates, including some mechanism to delegate restricted logins.
Forwarding of arbitrary TCP/IP connections is provided. This is useful for tunneling otherwise insecure protocols, like telnet and pop, through an encrypted lsh connection.
Convenient tunneling of X was one of the most impressive features of the original ssh programs. The current version of lsh implements X-forwarding, although the lshd server doesn't provide that service yet.
Whan X forwarding is in effect, the remote process is started in an environment where the DISPLAY variable in the environment points to a fake X server, connection to which are forwarded to the X server in your local environment. lsh also creates a new "fake" MIT-MAGIC-COOKIE-1 for controlling access control. Your real X authentication data is never sent to the remote machine.
Other kinds of tunneling that may turn out to be useful include authentication (i.e. ssh-agent), general forwarding of UDP, and why not also general IP-tunneling.
By Matt () on
-add DHCP and NAT functionality
I took that to mean that he was not incorporating NAT's functionality into the build and thus a simple change to pf.conf is not all that is necessary to getting nat working. If that were the case I wouldn't have made that comment.
By Peter Hessler () spambox@theapt.org on http://www.theapt.org
By Thomas () on
Comments
By Adam VanderHook () on http://acidos.bandwidth-junkies.net/
By Anonymous Coward () on
and it used to be: "hey mom, i'm sending you a floppy. pop it in the machine labelled 'FIREWALL' and press the button labelled 'DO NOT PRESS'."
If i get a cd drive for that machine, it could be s/floppy/cd/g
Also, my firewalls only go down when something major is wrong, like a dead NIC. The floppy is only needed during boot time, so I need to be on site anyways, to change hardware. If the floppy happens to be no longer reliable, i have others on hand that are.
Also also, not everyone has a cd burner, but (in the past, this is changing) everyone had a floppy drive, so directing someone to make a bootable floppy off the image i e-mailed them is possible.
One final also, i liked this guy's story: http://www.galileo.edu/obonilla/writing/picobsd/
Not every sysadmin is in the first world.
I know you said "opinion" and i'm not trying to argue everyone needs to use floppies, just outlining some uses/reasons.
By Peter Hessler () spambox@theapt.org on http://www.theapt.org
Also, it works when you burn it onto a CD.
By Peter Hessler () spambox@theapt.org on http://www.theapt.org/openbsd/firewall.html