Michael W. Lucas
News flash: computers are expensive, film at 11.
Many people use a dedicated computer as a firewall and NAT device. It's quite true that a high-end 486 running an open source UNIX-like operating system is perfectly capable of handling network connectivity in a SOHO environment, but computers have costs beyond the base hardware. These systems are bulky, and old hard drives frequently stagger on the verge of death. Plus, if you're in an enterprise environment, your manager does not want to hear statements like, "You know that desktop that was so abominably slow that you refused to let the receptionist endure it any longer? I put it back into service as the corporate firewall." Of course, you can always use your IT budget to purchase a nice new machine with a full warranty, but we all have things we'd rather buy than a computer that will sit 99% idle. All of this adds up to "expensive."
It's enough to make even the most rabid open source advocate consider purchasing an inexpensive consumer firewall appliance, losing a bit of flexibility in exchange for low-power silence.
Or, you can build a small firewall box yourself. While there are several alternatives for small, quiet systems, my favorites are the Soekris models. Soekris boxes are roughly the size of a paperback book, fanless, low-power, and designed specifically for open source operating systems. They're sold either as a plain board or mounted in a case.
For this article, I used the Soekris NET4801 -- a high-end miniature computer with a 266MHz processor and 128MB RAM, case-mounted and with a DC power supply, all purchased direct from Soekris.
While the NET4801 can use a laptop hard drive, that's a bit much for a basic network gateway. I chose to use a compact flash card for the operating system, as firewalls generally don't have to write to the local hard drive.
To install OpenBSD on a compact flash card, you need a CF drive and an OpenBSD system with a CF reader. The good news is that the OpenBSD system doesn't have to be a server-grade system; it's perfectly acceptable to take that secretary's obsolete desktop and use it as your bootstrap platform. I used a very recent OpenBSD-current on my bootstrap station. Using this method installs the same version of OpenBSD on the Soekris as on the workstation, so your choice of OpenBSD version is important. (You can install other releases on the Soekris, but that's beyond the scope of this article.)
Take the cover off of your Soekris, insert the CF card, and then hook a null modem
cable to the console port and a serial port on your bootstrap station. On your
bootstrap station, open up a
tip(1) window at 19200 baud.
# tip -19200 tty00 connected
Plug in the Soekris, and you'll see the following in your
comBIOS ver. 1.20 20030721 Copyright (C) 2000-2003 Soekris Engineering. net4801 0128 Mbyte Memory CPU Geode 266 Mhz Pri Mas Hitachi XXM2.3.0 LBA 993-16-63 500 Mbyte PXE-M00: BootManage UNDI, PXE-2.0 (build 082)
The LBA space gives the disk geometry that the Soekris sees. The Soekris BIOS believes this CF card has 993 cylinders, 16 tracks per cylinder, and 63 sectors per track. Take note of those numbers; you'll probably need them. These numbers are for my 512MB flash card, which turned out to be vastly too large. My complete install, with applications, used about 20MB, or roughly 4% of that disk. A 32MB or 64MB card would have been more than sufficient and far less expensive.
Now get Chris Cappuccio's flashdist.
flashdist is a set
of tools to install a stripped-down OpenBSD on an attached hard drive device.
In addition to a shell script that does most of the work, it includes some
/etc scripts designed for embedded systems, kernel
configurations tuned for Soekris hardware, and a text file listing every
component to install to provide basic OpenBSD networking features.
I started by building a Soekris kernel using the NET4801 configuration in
# cp NET4801 /sys/arch/i386/conf # config NET4801 # cd ../compile/NET4801/ # make depend && make
Once this finishes churning, copy the bsd file somewhere safe. I recommend renaming it to something like NET4801-bsd and moving the copy to your flashdist directory, just so you don't get confused and install it on your bootstrap station. (The Soekris kernel configurations don't bother with unnecessary hardware such as PC keyboards or video cards, so your bootstrap station would probably behave badly with that kernel.)
Now remove the flash card from the Soekris and put it in the bootstrap station's CF reader. Take note of which device the CF card shows up as, and then run flashdist.sh from the directory in which you extracted it.
# ./flashdist.sh -d sd0 flashsmall.txt ./NET4801-bsd /
-d flag to tell
flashdist which local
device to install onto. In this example, the CF card is
so we use
We also need a list of files to install on the system, provided in
as flashsmall.txt. The third argument is the name of the kernel
file to be installed on the disk, and finally we have the directory path from
flashdist should copy the files. In this case, we're copying the system
files from the installed OpenBSD system. You could extract the distribution
files elsewhere and use that path here, to install a different version of
OpenBSD than is on your bootstrap station.
The flashdist.sh script will walk through an install, making its best
guess at the disk geometry and prompting you for items such as the IP address
of a logging server and a root password for the complete system. Once complete, remove the CF card from your workstation, insert the CF in the Soekris, and power the
Soekris back on. You should see a standard OpenBSD bootup in your
tip(1) window, ending with a command prompt.
Congratulations! You have a working embedded OpenBSD system. It doesn't do much yet, but at least it boots. Now to make it useful.
Pages: 1, 2