More on little firewalls (by )

Ok, I've picked up two Soekris net4801s. Lovely little boxes!

Installing OpenBSD on them via PXE was trivial. One interesting point was that I was running them from a 6v power supply, since the thing requires from 6 to about 28 volts. Presuming this to mean there's a linear regulator within generating a 5v line, I ran it from 6v to reduce the losses in the linear reg.

Anyway, all was well, until the box started to refuse to reboot. I was puzzled for a while, then I increased the voltage on my (cheap, unregulated) power supply unit. At first I thought my cheap little power brick was probably undervolting, but when all power to the area went down (including the streetlights on the A127!), it occured to me that perhaps the mains power might have been a little under 240v anyway 🙂

I got two of them, one for the original transparent firewalling application, and another to play with that I've decided to use to replace my current home LAN router - a 486 desktop machine running NetBSD. I'm using Ethernet bridging to make it appear like a three-port Ethernet switch linking the DSL router, my DMZ network, and my internal network; the internal machines use a private IP range, while the DMZ network machines have both private IP and public IP addresses; the Soekris box acts as a packet-filtering transparent firewall between the three LANs, while also being a NAT router between the private IP range and a public IP address.

This all works fine, except that if a DMZ machine tries to talk to the internal IP address of the router (which runs a DNS server), the response comes back from the external IP of the router, and with a different source port, so isn't recognised by the DMZ machine as being a valid reply. I've worked around it by getting the DMZ machines to use the router's external IP as their DNS server, and telling the router to allow access to the DNS server via the external IP only from the DMZ, and moving more interface-dependent services like DHCP and broadcast NTP off of the router to a DMZ machine.

Ethernet bridging in BSD kernels (by )

Oooh, while researching Proxy ARP for a transparent firewalls, I found out that the BSDs these days can do Ethernet bridging in-kernel. man brconfig, if you want more details.

Here's a handy writeup on using it to configure OpenBSD as a filtering bridge:

You can use it to bridge across any number of interfaces, in effect creating an Ethernet switch. But don't try to do this with too many ports - x86 architectures don't tend to have the IO backplane bandwidth of dedicated switch hardware!

According to the man pages, NetBSD 1.6.1 doesn't actually let you use packet filtering, but OpenBSD does. OpenBSD is a good choice for a firewall anyway, since security folks like it and have tended to pump it full of useful packet filtering options.

So does anyone know a nice supplier of small computers that can run OpenBSD and have two or more Ethernet interfaces, a cool enough CPU to not need a fan, and a flash disk that can be made readonly in hardware? A packet filter is, by definition, a single point of failure in a system, so I'd like it to be a maintenance-free device. Particularly since, lacking an actual IP address, it can't easily be contacted to check its status all that often...

Salad Fingers 5 is out! (by )

Salad Fingers is a very disturbing and strange Flash cartoon.

If you've already seen episodes 1-4 then you can watch episode 5 - otherwise, view them all!