kirk blog

Mon, 21 May 2007

[20070521] Using crunchgen with OpenBSD Firewalls

After BSDCan, I try to think of some userland paper that I could present at the next conference. I was wondering if crunchgen would be too boring. I used to build my OpenBSD firewalls as tiny systems and I was considering revisiting this technique. I would figure out the minimum set of executables and files required, use the picobsd utilities, and use the openbsd installation media tools to create a boot image. Does a minimal system offer any extra security?

• I would use CDROM boot images.
• The firewall should not require a hard drive.
• The filesystem would be read-only.
• A shell will just appear on the serial console -- no login required.
• I want to introduce new configuration files without rebooting.

Why OpenBSD? I reported a sysctl() bug on Sunday and hours later the fixed is committed. Since then, I have been purchasing OpenBSD t-shirts and CDROMs to help support this project.

References:

• crunchgen -- man page
• kindofblue10.tgz -- the post that gave me the idea
• flashboot -- appears to be a new project
• picobsd -- has tiny utilities that use sysctl() instead of reading kernel memory
• OpenBSD -- my choice in firewall software
• BSDCan -- requires more OpenBSD content :-)

Sun, 20 May 2007

[20070520] BSDCan 2007

I went to BSDCan this weekend. My favorite presentations were about ZFS -- a file system on the move, and Poisonous People -- a lively discussion about open source projects. I plan to attend next year.