About
Karen
JP
- PGP Keys
- Vossen's Law
- Firefox
- MythTV
Photos
- Deck
- SCUBA
- Dolphins
Security
- Firewall Rules
- Flypaper
- GNATBox
- Home
- Home Net Security
- Principles
- Snort
- Snort Books
- Sec Tools
- GenPass
- Honeypot Stats
- Firewall Stats
Source
- Perl
Networking
- Time
- NAT
- IP Calcs
Linux
- apt
- Edutainment
- SME Server
- Backup (DI-30)
Windows
- Win Tools
- Voodoo
- Win. Shell Scripting
- POSIX Redirection
- Winlogcheck
What's New
Email me
Email Form
|
This is a quick reference guide for installing the free GNATBox Light
firewall. GNATBox Light is a complete hardened,
stateful,
BSD-based firewall that fits on a single floppy disk (how cool is
that?). See below for references. You can download a Word
document with some sample Avery 5196 diskette labels at
http://www.jpsdomain.org/public/
/GNATBox_Diskette_Labels.doc.
Also check out my Home Networking diagram and explanation
at http://www.jpsdomain.org/infosec/home_networks.html.
If you are interested in firewalls, you should also check out
http://m0n0.ch/wall/
a completely free and Open Source firewall platform. It is arguably better
than the GNATBox in many ways, such as having a more standard (in firewall
terminology) and intuitive interface, many more features, no arbitrary
limits on the number of interfaces or the number of connections, etc.
However, it requires more resources to run (Pentium or better, 64 MB RAM or
better, and a hard drive, CD-ROM or CF-Card. Both M0n0wall and GNATBox are
very cool, and both have their place, so check them both out.
- 486 or better with 32 MB RAM [I'm only using 20 MB] and a floppy drive (no hard drive)
- 2 NICs (3Com 3c509b recommended for 486/ISA)
- You will need a keyboard and monitor for the install only
* External IP Address: |
+ External MAC Address: |
* External subnet mask: |
* Default Gateway |
ISP DNS 1: |
ISP DNS 2: |
Internal (PROtected) IP Address: |
+ Internal MAC Address: |
Internal subnet mask: |
* If you have a cable modem, PPPoE or other link that uses DHCP, you
will not need these.
+ It is very helpful, but not required to know the MAC addresses of the
network cards. It's often written somewhere on the card, especially 3Com
cards.
- Read the about GNATBox light (a little obsolete) at:
http://www.gta.com/news/release/?n=1998-04-07.html
- Download the installer and the documentation from:
http://www.gta.com/products/gblight/ and
http://www.gta.com/support/documents/.
There is also a FAQ at http://www.gta.com/support2/faq/,
though only the "General Questions" section has much bearing on the
GNATBox Lite.
- Install the software on the machine from which you will do management.
At the end of the first part of the install, you may want to unselect items
you don't need, e.g. "Make GNATBox Light PPP floppy." Then
there will be a few more simple install wizards and you're finished.
- Format and write a GNATBox floppy disk. (Using GBAdmin or gbMakeFloppy you can "merge" an
existing configuration into the new "image" when you need to upgrade
to a new version. See below.)
- Set the BIOS to boot without a keyboard if possible on the firewall box and boot the install floppy.
- On the firewall box itself, follow the GNATBox setup wizard to configure the firewall.
- Set the host name.
- Enter the external and internal IP Addresses and subnet masks as
needed. If you have a cable modem, use DHCP on the external address.
- Hit the space bar to select a different interface for the PROtected
interface--it defaults to the one you probably already used for the
external interface.
- Hit the spacebar to skip setting up a private service network (PSN, AKA DMZ)--that is
not a feature in the free version (niether is a VPN).
- Set the default route (AKA next hop) if necessary. This is for the external side only. If you are using DHCP on the outside you should not set it on older GNATBox versions. On newer versions, you set it to the "Interface object" of the connection (i.e. <EXTERNAL>)
- Set the password for the administration account.
- Save the configuration when finished.
- When the firewall finishes loading, try pressing ALT-F1, ALT-F2, and
ALT-F3 on the console. The first screen is log messages, the second
is the console admin tool, and the third is network stats.
- Next, connect to the firewall from the management machine. Launch GBAdmin and choose File, Open. Select the Network radio button and enter the IP address of the firewall. The default admin account is
'gnatbox', and the password is whatever you entered in the wizard. You can change both later.
- While there is a web GUI, I prefer to use the fat client as I think it is a little easier, and if you turn off the web GUI, it makes it that much more difficult for anyone to try to connect to your firewall from the inside.
- Register your GNATBox light. This increases some of the restrictions, and is free. I've never gotten any SPAM I can trace to
them from this.
It is most important that you correctly enter the MAC address of your PROtected network interface. To find the MAC Address of your PROtected
network interface go to the Network Information screen using any of the User Interface tools (Console, Web or GBAdmin). Look in the Physical Interfaces section for the network
interface card that you have assigned to the PROtected network interface. The MAC address will be display there as a set of 12 characters in six sets of two separated by colons. (Example: 08:00:2b:9a:94:3a). You should enter the MAC address exactly as it appears.
You can cheat by going to the "Reports" section, then to
Configuration. You can copy and paste from that report. Just make
sure you copy the correct MAC address.
- Surf to http://www.gta.com/products/regGblight/
fill in the form.
- Enter the PROtected MAC address as above. You will immediately get the
registration number in your web browser and a copy will be e-mailed to you as well.
- Go to the "Basic Configuration, Features" screen.
- Hit the green plus on the tool bar, or use Edit, Insert. Paste the
registration code into the box. Note, the feature description will
remain "?????" until you exit and come back into the admin
interface.
- Go to the "Basic Configuration, Preferences" screen.
- Paste the serial number in, and fill out the rest of the boxes.
- Explore the interface. When you click on a main heading, you get a
summary/help page. Especially check out the Reports and System Activity
sections.
- Review the configuration:
- Basic Configuration, DNS: Configure and enable as needed.
- Basic Configuration, Features: Only the activation code is needed here.
- Basic Configuration, Preferences: Enter at least a name, Email
address, Serial number and support email address. (Should have already
entered at least the serial number)
- Services, E-Mail Proxy: Configure and enable as needed.
If you have a small network and you receive e-mail to a server inside the
firewall, you definitely want this! For home use or when e-mail is
hosted elsewhere, it's probably not needed.
- Services, Remote Logging: We'll get back to this.
- Authorization, Admin Accounts: You can change the admin account name
or password here, or create new accounts with various rights.
- Authorization, Remote Admin/Authentication: Configure how you can
administer the box. By default a web server on port 80 is
enabled. I usually disable this since it is not using SSL (in the
free version). It is only accessible from the
internal network, but...
- Authorization, VPNs: Not applicable for the free version.
- Content Filtering: Various proxy and content filtering options,
including CyberPatrol (extra cost). It also includes an HTTP proxy,
which operates in either traditional (which you must configure browsers to
use) or transparent (which requires no changes to browsers!).
- Routing: Allows you to configure RIP and/or static routes if needed.
- Objects, Addresses: You can create objects to describe your
environment that may be used in rules (more below).
- Objects, VPN: I usually disable this object, since the VPN is not enabled
in the free version.
- Filters, Outbound (i.e. outgoing rules): Verify the rules.
Basically, the default rules allow everything outbound, which may not really
be what you want. Firewall best practices dictate that you be as
specific as possible is what traffic is allowed in and out of your
network. For example, many trojans attempt to communicate out to the
world on TCP or UDP port 53, assuming that many firewalls allow unrestricted
outgoing DNS.
- Filters, Preferences, Email Server tab: If you have an SMTP server
(e.g. Exchange), you can have the GNATBox e-mail alerts to you. If you
do not configure this, you will need to remove the "alarm" on
outgoing rule 17.
There are lots of other neat things in these various tabs too.
- Filters, Protocols: Defines protocols. Pretty much never do
anything here.
- Filters, Remote Access (i.e. incoming rules): Verify the
rules! These are the rules that allow traffic into your network.
Make sure you understand exactly what they are doing!
- Disable rule 4, which allows unrestricted incoming and outgoing
DNS (53/UDP). You almost certainly want to disable this rule!
(Rule 2 is OK, as it is only outgoing, unless you are being as specific as
you should be with outgoing rules.)
- Rule 7 is a great rule to block but not log or alert on
a bunch of trash, including 1900/UDP, which is
Windows XP UPnP discovery. I had to create that rule manually in an
earlier version because I was getting an alert e-mail every few
seconds after I stupidly installed a "security patch" from Microsoft
on an XP test box.
- Disable rule 13, or change it to "deny." Ident
(AKA auth) is an obsolete UNIX protocol often used by SMTP and FTP servers
in a lame attempt to discover who owns the process that is trying to talk
to them. Note if the ident attempt is not rejected, it can cause
delays of up to 2 minutes for the process to fail. However, I always
disable this rule and have not had a problem.
- Consider rule 14, you
may or may not want to deny ICMP access to the firewall.
- Rule 17 is the "cleanup" rule (in Checkpoint-speak) that denies
and logs anything not already allowed.
- Filters, Time Groups: You can create time groups, then do various
things with them with the rules.
- IP Passthrough: Allows you to bypass NAT if necessary.
This is probably not what you want to do in a small environment with
the free version. It might make sense with a commercial version with a
DMZ (PSN).
- NAT: In general allows you to configure aspects of NAT.
- NAT, Inbound Tunnels: This is very useful, and very dangerous.
It allows you to do PAT (Port Address Translation), which means you can
re-direct incoming traffic from your firewall to a machine on your internal
network. This can be useful, but it also allows traffic to come into your
network. Be very sure you know what you're doing with this. (Note,
many ISPs have service contracts that prohibit you from running servers anyway.) I forward an arbitrary port from my firewall address to port
22/TCP on my services server. Thus, I can SSH into my server from
anywhere.
- Runtime, Version: Gives you the version of the runtime image you are
currently using.
- Reports, Verification: Find and resolve any problems with your config.
A yellow or red light by a section shows a problem. Green lights are
good. White lights are features which are not configured (and many are
not available in the free version).
- Reports, Hardware: Gives you some basic information about the hardware
of your firewall server.
- Reports, Configuration: Cut & Paste the config report into Notepad
and save it, so you have a more or less Human readable copy of your config.
- System Activity: All kinds of information about what the server is
doing.
- Links: Various URLs.
- Save the configuration to the floppy.
- You now have a basic firewall set up.
- You can save and open GNATBox configurations from the network (to the
firewall itself), any number of floppies, and files on the local hard
drive. Since the entire firewall system resides on a single floppy,
this makes the back-out plan when upgrading absurdly simple--put the old
floppy back in and reboot. Likewise, in a test lab, you can have any
canned firewall config you want just by using a different floppy.
- Backup the system by creating a backup floppy. This is
also great for testing! Open the existing configuration from the local
drive, then switch floppies and save both
"Configuration" and "Runtime." Or, you can open a
firewall over the network, save the config as a file, then merge it to a new
floppy as below.
- "Merge" an old config into a new GNATBox runtime with
GBAdmin:
- Run the GUI admin tool.
- Open the firewall over the network, or the firewall floppy.
- Choose the File, Merge menu.
- Load the old config file or floppy.
- Verify the configuration, then save the merged config.
- "Merge" an old config into a new GNATBox runtime with gbMakeFloppy.
- Run "Make GB Lite Floppy"
- Click the control menu (icon in the title bar, in the upper left, directly
left of the text "GNATBox Make Floppy") and chose the appropriate
option.
- See the GNATBox Forums at http://forum.gnatbox.com/.
OK, one very important thing we have not talked about is logging. Since
the GNATBox uses a single floppy disk, it has no room for local logging.
It can log to memory, but that usually runs out pretty fast too. So a
remote loghost is great. If you already have a syslog sever (all UNIXs
have one) you can use that (see the resources
section for syslog server configuration). If not, GNATBox Lite used to come with
one for Windows, but that seem not to be the case any more. See Windows Syslog Servers below for solutions.
- In Services, Remote Logging: Enable logging.
- Enter the IP address and port (514) of your syslog server. The
defaults are not bad, so I'd start with them.
- If you are using a UNIX syslog and understand facilities, you can configure
those as needed. See the RedHat example
below.
- If you are using a Windows syslog, you are probably not logging anything but
the GNATBox, so it's not worth changing facilities.
RedHat Syslog & Sendmail configuration
This was tested using RedHat 7.1 and 7.2 but should be similar for most
distributions.
On your RedHat box:
- mkdir -p /var/log/gnatbox
- Edit /etc/syslog.conf and add the following:
# Save GNATBox Firewall logs/messages
local0.* /var/log/gnatbox/nat.log
local1.* /var/log/gnatbox/filter.log
local2.* /var/log/gnatbox/www.log
- Edit /etc/sysconfig/syslog and add "-r" to enable listening to
the network like so:
SYSLOGD_OPTIONS="-m 0 -r"
- Restart syslog.
Logrotate
- Create /etc/logrotate.d/gnatbox with the following contents
# gnatbox - Logrotation config file
# v1.0 23-Jul-2000 JPV
# v1.1 09-Aug-2000 JPV Bugfix - corrected killall path
# v1.2 2002-04-07 JPV Changed from 15 weeks to various
# v1.3 2002-05-27 JPV Updated to correct e-mail address, then commented, as
# 'errors' is deprecated
# Global Options
compress
notifempty
olddir /var/log/gnatbox/archive
/var/log/gnatbox/filter.log {
rotate 52
weekly
}
/var/log/gnatbox/???.log {
rotate 6
weekly
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
sendmail
NOTE, this will open up your mail server to listen to all addresses
that can reach it. Only do this on an internal mail server, and if you
really understand what it does!
- You will need to have the sendmail-cf rpm installed.
- Edit the following line in /etc/mail/sendmail.mc
Change: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
To: dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
- Run this command to regenerate sendmail.cf, then restart sendmail.
'm4 /etc/mail/sendmail.mc > /etc/sendmail.cf'
- Edit /etc/hosts.allow and add or change to the following:
{replace nnn.nnn.nnn. with your network} sendmail: nnn.nnn.nnn. : ALLOW
OR: sendmail: ALL : ALLOW
I have not really tested these options, so use with caution!
- This will log all messages into the syslog "messages" file: edit
/etc/e-smith/templates/etc/sysconfig/syslog/10NoMARKs and add "-r" to enable listening to
the network like so:
SYSLOG_OPTS="-m 0 -r"
- Sendmail is not installed, but qmail/smtpfwd are already listening
correctly.
- Logrotate should not be needed, as SME Server already takes care of
rotating the messages log.
GNATBox Light comes with a free Windows Syslog server, but here are
some others too.
Dynamic DNS Services
Stolen directly from DynDNS.org:
"Just got your cable installed? Itching to have a personal site on
your DSL? Want to control your own e-mail? Don't want to have to tell
friends about that annoying changing IP address or ISP- assigned hostname?
We can help!
"Our Dynamic DNS and Static DNS services give you a new name -
yourname.dyndns.org, for example, or you can choose from several other
domains. Sign up, pick a hostname, download one of our selection of
third-party update clients, and you're on your way! Best of all, these
services are totally free for up to 5 hostnames each. Up to 20 hostnames
in each service are available to donators."
|