This post and the next to come are about a project I'm doing at work that I've called The Freaky Wall.
The project has its origins on the idea that using multiples technologies is
better for security; almost all the servers I use are running Debian
GNU/Linux and use iptables
locally, so when I decided that we had to build
new firewalls at work I thought it was a good idea to look at different
technologies, that is, a different kernel and firewalling tools.
As I wanted to avoid iptables
and the Linux kernel my first idea was to go
after the free BSD systems (FreeBSD,
OpenBSD or NetBSD), and
soon realized that pf (the OpenBSD Packet
Filter) was the way to go; it has a clean syntax and includes advanced
features like CARP and pfsync
that allow me to build redundant firewalls.
Before going after the standard systems I looked at pfSense a firewall appliance built on top of FreeBSD that uses a PHP interface to do everything.
At first it seemed that it was going to be a good option, but soon I felt that I wasn't in control of what the system was doing and I had to change the PHP code to do trivial things (I wanted to configure IP aliases on a CARP interface and it was not possible with the web interface, while it is trivial to do using the standard system configuration files), so I left the idea of using it.
The second option was to use OpenBSD directly, as it is the system were
pf
has been developed. Soon I saw that I was going to be able to do what I
wanted with the system, but I missed the Debian's way of installing and
upgrading the system and the list of packages available.
For different reasons the firewall project was left in a limbo for a little while and when I went back to it I already had to upgrade my test systems to a new OpenBSD release; after reading a little bit about how to upgrade and not liking the idea of doing it I remembered that jordi suggested that if we only want the kernel and the firewall tools the Debian GNU/kFreeBSD port could be an option instead of OpenBSD or FreeBSD.
Before trying to install the Debian GNU/kFreeBSD system I saw Robert's post about a Debian installer with ZFS support and I decided to start with it, as the use of ZFS will allow us to use software RAID-1 and snapshots, something we have on almost all our Linux servers (we use software RAID for redundancy and LVM snapshots to be able to do our backups at any time of the day with consistent data, but that is for another post).
On my next post I'll explain how I did the initial installation with
ZFS, and after that I'll explain the changes I did to the kernel and some of
the packages to be able to build a firewall as described on the Firewalling
with PF document (that is, I needed pfctl
,
pflogd
, a tcpdump
with pflog
support, the pf
's ftp-proxy
, etc.) and
on the last document I'll explain how I've configured the firewalls The
Debian Way™.