OpenBSD Journal

PF on a floppy

Contributed by jose on from the keepin-it-real-and-real-tiny dept.

Peter Hessler has been working on a small OpenBSD distribution for a while now. He's been able get PF on a single floppy . His FOAF project (firewall on a floppy) looks like a useful way for you to have a diskless firewall running on your box. Mix it together with a minimal shell and voila, you have a small BSD based router . Thanks, Peter!

(Comments are closed)

  1. By paul () on

    typo there... should be and not

    1. By jose () on

      fixed, thanks.

      1. By jolan () on

        smal->small as well...

  2. By Matt () on

    This sounds like a great idea. can't wait to see it, especially when he gets nat and routing working.

    1. By Anonymous Coward () on

      This sounds like a great idea. can't wait to see it, especially when he gets nat and routing working.

      What's wrong with modifying config/etc/pf.conf to suit your needs?

      I made myself a floppy firewall the other month when my mom's drive died - i was housesitting for her, needed my net connection right away, so made a quick and dirty floppy. Then i found Peter's, which was remarkably similar - good work, Peter. One thing missing, though, that i'd have liked and haven't been able to get: an sshd that fits on the floppy as well. Anyone have anything like that?

      1. By Marcin () on

        Dropbear or LSH might work for you. Dropbear is
        still lacking in functionality/feature set.

        Remember that these packages are not as popular/known as ssh, what decreases the amout of
        testing, blah, blah, blah, no bloat, blah, blah, small, blah, secure, blah, blah.

        Dropbear SSH Server:


        * A small memory footprint - Dropbear can compile to a 110kB statically linked binary with uClibc (and only minimal options selected).

        * Implements X11 forwarding, and authentication-agent forwarding for OpenSSH clients

        * Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication

        * Features can easily be disabled when compiling to save space.


        The following platforms are known the work properly:

        * Linux - Debian Woody, Debian Slink, uClibc >=0.9.17, and have had reports that dietlibc works too

        * Solaris 8 x86

        * FreeBSD.

        * Tru64 5.1 (using prngd for entropy)

        It shouldn't be hard to get it to work on other POSIX platforms, it is mostly a case of setting up the configure options correctly.


        lsh is a free implementation (in the GNU sense) of the ssh


        lsh does not only provide more secure replacements for telnet, rsh and rlogin, it also provides some other features to make it convenient to communicate securely. This section is expected to grow with time, as more features from the wish-list are added to lsh. One goal for lsh is to make it reasonable easy to extend it, without messing with the core security functionality.

        lsh can be configured to allow login based on a personal key-pair consisting of a private and a public key, so that you can execute remote commands without typing your password every time. You can also use Thomas Wu's Secure Remote Password Protocol (SRP). Kerberos support is on the wish list but not yet supported (see Kerberos).

        The public-key authentication methods should also be extended to support Simple Public Key Infrastructure (SPKI) certificates, including some mechanism to delegate restricted logins.

        Forwarding of arbitrary TCP/IP connections is provided. This is useful for tunneling otherwise insecure protocols, like telnet and pop, through an encrypted lsh connection.

        Convenient tunneling of X was one of the most impressive features of the original ssh programs. The current version of lsh implements X-forwarding, although the lshd server doesn't provide that service yet.

        Whan X forwarding is in effect, the remote process is started in an environment where the DISPLAY variable in the environment points to a fake X server, connection to which are forwarded to the X server in your local environment. lsh also creates a new "fake" MIT-MAGIC-COOKIE-1 for controlling access control. Your real X authentication data is never sent to the remote machine.

        Other kinds of tunneling that may turn out to be useful include authentication (i.e. ssh-agent), general forwarding of UDP, and why not also general IP-tunneling.

      2. By Matt () on

        From the todo list:
        -add DHCP and NAT functionality

        I took that to mean that he was not incorporating NAT's functionality into the build and thus a simple change to pf.conf is not all that is necessary to getting nat working. If that were the case I wouldn't have made that comment.

    2. By Peter Hessler () on

      NAT might be working. Feel free to try it. I don't use NAT, and I have no way of testing such a setup on my current configuration.

  3. By Thomas () on

    I have never quite grasped the idea of running a router and/or firewall - a device that should be as stable and foolproof as possible - from such an unstable medium such as a floppy. But that's just me and my opinion; I realize that it's very useful for some, e.g. as a quiet and cheap machine at someone's home network.

    1. By Adam VanderHook () on

      As far as removeable, write-protected medium, a floppy disk is the smallest common denominator. If you can make it fit on there, you can make it fit on a CD (regular, mini, or business card), fit it into a flash RAM system, etc.

    2. By Anonymous Coward () on

      it's very useful for some, e.g. as a quiet and cheap machine at someone's home network.

      and it used to be: "hey mom, i'm sending you a floppy. pop it in the machine labelled 'FIREWALL' and press the button labelled 'DO NOT PRESS'."

      If i get a cd drive for that machine, it could be s/floppy/cd/g

      Also, my firewalls only go down when something major is wrong, like a dead NIC. The floppy is only needed during boot time, so I need to be on site anyways, to change hardware. If the floppy happens to be no longer reliable, i have others on hand that are.

      Also also, not everyone has a cd burner, but (in the past, this is changing) everyone had a floppy drive, so directing someone to make a bootable floppy off the image i e-mailed them is possible.

      One final also, i liked this guy's story:

      I found a machine lying around that had most of the specifications needed for the job, except for a hard disk drive. I asked the supplies department for a 40 GB hard disk drive and got a 1.44 MB floppy.

      Not every sysadmin is in the first world.

      I know you said "opinion" and i'm not trying to argue everyone needs to use floppies, just outlining some uses/reasons.

    3. By Peter Hessler () on

      It loads from the floppy, into memory. Once its loaded, you can take the floppy out.

      Also, it works when you burn it onto a CD.

  4. By Peter Hessler () on

    Thanks to the story here, I decided to update FOAF. I added mg, dhclient, and fixed the ISO generation of a CD image. Also, some more pf.conf fixes. Download, run, and let me know what you think. (btw, spambox@ is a real address)

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]