ClosedBSD is a firewall and network address translation utility which boots off of a single floppy disk, and requires no hard drive. ClosedBSD is based off of the FreeBSD kernel, and uses ipfw as it’s native ruleset management system, and natd as it’s network address translation utility. ClosedBSD also features an advanced ncurses based configuration manager (screenshots) which allows you to seamlessly configure your firewall ruleset using protocol filters, port forwarding, and network address translation mechanisms through a simple to use menu interface. DHCP is disabled for this beta release.
ClosedBSD – A FreeBSD and Firewall on a Floppy
2002-03-05 FreeBSD 10 Comments
Ah firewalls, who needs em? Just leave everything open so the guests feel welcome. You will make lots of new friends.
Well now I guess I have no excuse to set up that subnet for the wife to play on – the old AMDK2/233 can now have a use as a subnet router
I’m a bit confused by this…
Natd is userspace right? I’ve heard that it’s performance isn’t too impressive. But even if what I’ve heard about natd is incorrect, ipfw doesn’t do connection tracking, it doesn’t do “stateful” firewalling. What does this mean? Well, lets say we have a rule to allow established connections to pass, ipfw doesn’t actually keep track of the connection to see if it’s a truly established connection, it just takes the word of the packet, so if the packet says “Yep, I’m established!” ipfw lets it through, regardless of whether it really is or not (though most of the time it’s true I’ll admit). ipf does real connection tracking, as does iptables (ipchains didn’t of course).
I could be wrong, but I know this was the case with ipfw in freebsd 3.* and the manpage for ipfw in FreeBSD 4.* seems to suggest the behavior of ipfw is still stateless. FreeBSD CAN use ipf, so why not use it?
BTW, this is why you can have rules that match against NEW, ESTABLISHED and RELATED connections for icmp and udp under iptables (at least it appears to work this way ). Udp and ICMP are obviously connectionless protocols, but iptables (netfilter really) still tracks those connections. If I remember correctly, older versions of iptables did not, so if you tried to do so on one of those protocols with an older version of netfilter/iptables, you would get an error (like invalied argument or something). Not sure if ipf will track udp and icmp, I don’t think I’ve tried it, it’s been a while since I’ve worked with ipf anyway. Ipf will do it’s own nat.
Nice, added it to the collection of free firewall tools unter http://www.freefire.org“