GANEŠ ŠIVA ATLANTIS ANARCHY

SONaFR is a small system with router/NAT/firewalling capabilities that fits on a single floppy.

SONaFR-1.0, Copyright (c) George Sipos, October 2007

Download SONaFR here.

Contact

The diskette image is in Zip format (Zip is used deliberately to also attract Windows users); it must be unpacked and written to a floppy using this command (FreeBSD, Linux = /dev/fd0; OpenBSD = /dev/fd0a):

dd if=subor.img of=/dev/fd0a

or you can use the rawrite.exe utility, which can be found on many Unix sites; it is also included in the 1FCDBSD package (One Floppy CD Audio and MP3 Player). You can also use many utilities like Winimage.

As I found some incompatibilities between DOS, Windows 98 and Windows XP, I included rawwritewin.exe in the ZIP package, so you can then breathe with ease - refer to the image below.

SONaFR

OpenBSD has a unique packet filter (firewall) capability and this system is considered to be one of the best security solutions around. I originally wanted to make configuration scripts but I soon realized that there are billions of systems around and users will be more knowable if things are configured manually; but don't worry, only a little time is required for this.

Automation restricts - I have already experienced this many times - a cellular phone that switches off its backlight right at the moment when you need to read a phone number from its screen, or even a VHS recorder that switches off after only five minutes of recording, without notifying me about it. The fact that you must hold a button for a few seconds in order to record the entire film is explained somewhere in the huge manual - which most of us do not have the time to read. Wouldn't be I happier without it? In most cases yes!

This is a floppy distro with a minimal kernel. Under such conditions, it is not possible to compile every driver into the kernel.

You must have two network interface cards (NIC's) with this floppy. To see all network interfaces available on your system, just type: ifconfig (from within SONaFR); type: more etc/cards to see all cards that the SONaFR kernel supports.

How to configure SONaFR

No installation is necessary - SONaFR is a bootable diskette with OpenBSD 4.1 with its own little editor (mg) and an editable filesystem stored in memory. Minimal requirements are at least 9,5 MB of RAM and a working computer (Pentium, or even 486) with a diskette drive. All other factors depend on SONaFR's ability to detect your network interface cards (NIC's). This ability is good, but since the kernel is minimalist, some network cards may not be recognized. Once the floppy boots, you will find a navigation text whereby you press SPACE to read the introduction text up to the end. Refer to the image below.

The QuickStart Way

1) configure your network cards using ifconfig
2) edit the file /etc/pf.conf (to specify your real NIC's)
3) specify your DNS servers to /etc/resolv.conf
4) activate your Internet connection, e.g., use (type) "dhclient rl0"
5) finally, activate the firewall itself - either type /etc/start2, or
    activate the firewall manually (these commands are included in the start2 command):
     pfctl -F all
  pfctl -f /etc/pf.conf
  pfctl -s state

6) configure the computers on LAN (Local Area Network) and that you plan to connect to this router via hub or directly (one computer only) and specify a gateway address for each of them (192.168.0.1), as well as DNS servers.

A More Detailed Description

Firstly, configure the external NIC which will be connected to the outside world; most usually, dhcp is used for this. If your network card is rl0, for example, type "dhclient rl0", whereby the configuration is made automatically. Ping the external world to test if the connection is working properly. Type "ping 217.67.16.49", which is the same as "ping www.freebsd.nfo.sk". But to resolve names, you need to configure your nameservers (see section 4 below). However, the number format should work with ping.

After typing "ifconfig", you will see a similar screen as above.

Configure the internal NIC; if your internal NIC is nfe0, just type "ifconfig nfe0 192.168.0.1" and replace "nfe0" with your system's corresponding interface. The private address (192.168.0.1) is also configured in the /etc/pf.conf for NAT. If you receive an error message after typing "ifconfig interface address", it is most likely that the driver is not compiled into the kernel. In such a case I can make a new kernel for some fee. I can also make a CD image for a fee.

If both (external and internal) NIC's are configured, edit /etc/pf.conf and give the proper device name for "IntIf" (Internal Interface) and "ExtIf" (External Interface) just below the commented text "Declare Interfaces" in the beginning of /etc/pf.conf. Editing is possible with "mg". Just type: "mg /etc/pf.conf"; change also the first command at the beginning of the pf.conf: "set logininterface", and put your real External Interface there (rl0, nfe0, dc0, etc.) after logininterface like this: "set logininterface rl0" and replace "rl0" with your actual NIC that you plan to point to the outside world. After you are finished with editing, exit with Ctrl+X+C (keep CTRL pressed with X and C simultaneously) and press "y" to save your changes.

An example of the beginning lines of the /etc/pf.conf file is here and you only need to change the text in red color:

----------------> example of /etc.pf.conf <-----------------
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
set loginterface rl0

# Optimize the engine for normal network environment.
# Section: SCRUB
# Interface: all
# Resolve overlapping IP fragments. Fragments are cached and reassembled by
# pf before a packet is received by its destinations. This will protect
# machines with less secure stacks behind it from fragmentation attacks.
# -------------------------------------------------------------------------
#scrub in all
scrub in all fragment reassemble
scrub out all
# -----------------------------------------------------------------------
# Declare interfaces
# -----------------------------------------------------------------------
LoIf="lo0"
IntIf="nfe0"
ExtIf="rl0"
==========================================================================
----------------> end of example of /etc/pf.conf <-----------------

Then edit /etc/resolv.conf (type: mg /etc/resolv.conf, an example DNS is already included in this file) and put your real DNS servers there. Type /etc/start2, or look into the file /etc/start (with the "more command" - "more /etc/start") to see some commented examples in case you need to change the MAC address of your external NIC if your Internet provider requires MAC identification.

Every PC behind NAT needs its own unique internal IP address; conflict of addresses may cause problems. Connect your desktop computer(s) to this router (to its Internal Interface via a hub), configure your desktop's NIC for the range of 192.168.0.? addresses (e.g., 192.168.0.3, 192.168.0.4, etc.) and issue this command on it: "route add default gw 192.168.0.1" (Linux) or "route add default 192.168.0.1" (FreeBSD). This way you tell your desktop computers to use the default gateway, which is our router. If you use Windows, configure the network similarly (for the range of 192.168.0.? addresses; but omit please 192.168.0.1, which is our router) and specify the gateway address (192.168.0.1) of this router (on every PC). In case you have more computers, you can connect this router's Internal Interface to a hub and then connect more computers with this hub as well (they all will be able to browse the Internet). After you configure the LAN computers with addresses like 192.168.0.2(3,4,5,6,7, etc.), do not forget to specify the gateway on each of them as explained above, as well as DNS servers.

Transparent Firewall

This thing may also be used as a transparent firewall (invisible firewall). If you have a computer with two NIC's and you move data from one network card to the other one via a bridge and without IP addresses, you work on the OSI layer 2 model (data link); thus, you will get a full firewall which you can put anywhere on any network segment without needing to configure or change anything on the existing network. Such a firewall is very quick, as no decisions are made with respect to IP addresses a normal firewall must first inspect.

Type: "ifconfig bridge0 create"

Then type: "brconfig bridge0 add rl0 add rl2 up" to activate the bridge, i.e. moving of data from one NIC to the other one (transparent firewall) and replace "rl0" and "rl2" with network devices present on your system. The box where this bridge runs can be placed on any network segment without needing to configure IP addresses. Of course, to activate the transparent firewall, you have to run the pfctl command in order to activate the firewall:

pfctl -f /etc/pf.conf

The behavior of such a firewall depends on the rules defined in the /etc/pf.conf file.

Bandwidth Control

OpenBSD Packet Filter has an advanced feature to control the volume of bandwidth passed via network, which is called traffic shaping. ALTQ statements are used for this, which you write as a command to your /etc/pf.conf file. There are some manual pages on the Internet and it is not my goal to provide a detailed information on various advanced features of Packet Filtering - this is strictly an OpenBSD issue, so look (or visit) the appropriate place where such information can be found.

Tips:
This is a simple but quite efficient one floppy firewall and NAT/router (tested on few computers); editing and improving or customizing the /etc/pf.conf will change rules how this firewall behaves.

Type: /etc/floppy to format a (preformatted) diskette; or to backup or restore configurations.
Type: /etc/memory to find out the size of your available RAM.
Type: more /etc/RAM-examples to see how to reconfigure RAM.
Type: more /etc/license to see the license.
Type: more /etc/cards to see the network cards (NIC's) this Mini BSD supports.
Type: more /etc/allcommands to see all commands this router supports.

Enjoy!