From owner-freebsd-chat Tue Jan 15 8:43:35 2002 Delivered-To: freebsd-chat@freebsd.org Received: from server.highperformance.net (ip30.gte4.rb1.bel.nwlink.com [209.20.215.30]) by hub.freebsd.org (Postfix) with ESMTP id 8992B37B422 for ; Tue, 15 Jan 2002 08:43:20 -0800 (PST) Received: from localhost (jcw@localhost) by server.highperformance.net (8.11.6/8.11.3) with ESMTP id g0FGhH109209; Tue, 15 Jan 2002 08:43:17 -0800 (PST) (envelope-from jcwells@highperformance.net) X-Authentication-Warning: server.highperformance.net: jcw owned process doing -bs Date: Tue, 15 Jan 2002 08:43:16 -0800 (PST) From: "Jason C. Wells" X-Sender: jcw@server.highperformance.net To: Nathan Mace Cc: freebsd-chat@FreeBSD.ORG Subject: Re: a CDROM based firewall In-Reply-To: <200201150509.AAA07250@uce55.uchaswv.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 15 Jan 2002, Nathan Mace wrote: > what do you guys think of a "free" style licenced BSD based firewall on a > bootable CDROM? i know that suse linux provides this as a linux based > product but it is commerical, and i'm not sure how popular it is or how well > it works. > > i was thinking that i could make an ISO image that when burned to a CDROM, > which when booted it would copy itself to memory, and then run from there. > you could setup a ram drive to be the /tmp directory, and optionally you > could have a hard drive to hold the log files. Or use syslog to log to a remote host. Disable VM alltogether and you need no hard drive at all. > i've talked to some people i know about this idea, and someone pointed out > that you'd have to burn a CDR every time you wanted to permenatly chage the > firewall rules, but what would be wrong with linking the filewall conf(rules) > file to a file on the floppy drive? you could edit it on a different CDROMs are cheap. If I were doing this for my own network, I wouldn't care about their cost. I eventually planned to do this, when I could next afford another computer. > computer, and then set the floppy disk to be phsically read-only. mount the > disk and restart the firewall deamon causing it to re-read the new file. > > anyone see any serious problems with this? anyone know if there are any > projects like this already out there? thanks I don't see any problems. Its just FreeBSD/ipfw used in a slightly unconventional way. You could do this in the time it takes todo a minimal install to a target directory, customize a kernel, and hack rc.firewall to suit your needs, and burn the ROM. (Someone might point out some kooky bootable CDROM / BIOS issues that I am unaware of.) LAter, Jason C. Wells To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message