Your opinions on my intended setup?



  • Hi!

    I am planning out a new perimiter FW for my home system. The intented HW is a VIA C2 board with approx 1-2GB DDR2 memory and a bunch of Gbit network adapters (the expansion card). I also would like to skip any kind of static storage, like HD or CF, wholly relying on the internal memory. The idea is that I would not need to have any configuration or system files stored in updatable memory, hence achieve abit of extra security.

    The reason I wonder wether this is possible is that I have seen working implementations of floppy based FTP and SMTP servers.

    Anyone know if this is possible to achieve and (ideally) have any pointers on ho I should go about and make it happen? Or will it forever remain a dream?

    /Cheers K



  • All devices need some kind of storage for the system.
    You're talking about floppy based system.
    What do you think a floppy is?
    Not having a "hard" storage doesnt increase the security.
    If anything it decreases it. No matter what you do: if someone gains physical access to your machine, it's over.

    If you intend to route gigabit your hardware is way undersized:
    http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

    Make sure you dont use realtek NICs.
    Generally Intel NICs work the best (or at least better than the cheap ones…).
    Also if you want to route that much bandwidth make sure you have a mainboard with PCIe, since PCI is too slow.



  • Thanx for the pointers about the NICs.

    I think you missed the point about the floppy, though. The idea is to remove the floppy from the drive after the system is started.

    If I thought I needed full enterprise performance, I would buy enterprise-grade HW.
    What I need in terms of performance is actually quite alot below gigabit performance, all I need is ~150Mbit to the internal net which is more than a 100Mbit device can give but considerably less than 1Gbit, on the external net the need is lower.

    Since my performance reqs are slim I feel that I can make a silent system in this case.
    One of my goals is to get a wholly passive system  (i.e. no fans) so I will be limited to a 1.2 GhZ / 6W processor.

    How does skipping a hard drive in a FW decrease security? In the case of a power outage the system will be inaccessible when the power comes back, but other than that I don't see the connection. As long as I have the full system setup on a removable drive (like a USB stick) I can atleast have the system restored and running again in pretty short time.

    Regarding physical access: Last I checked a firewall (even with an enterprise level IDS) doesn't protect agains that…  ;D



  • As you said: if you have a power outage your firewall wont come back up.
    I believe if i think hard enough i could come up with a way to turn that into an exploitable situation.

    Like the proverb: if you can crash it, you can hack it :D

    But if you have an embedded-install, the physical media will only be used on bootup.
    pfSense runs entirely from the ram then.
    If you use a floppy as storage for your config you would have to boot from a CD.



  • @GruensFroeschli:

    Like the proverb: if you can crash it, you can hack it :D

    True, if pfSense hasa crash-bug you would be able to shut the system down for days… Though, being a non-monolithic kernel that will be hard.

    @GruensFroeschli:

    But if you have an embedded-install, the physical media will only be used on bootup.
    pfSense runs entirely from the ram then.

    I just used the floppy as an example since it was a pretty common way to set up small servers like mail and FTP servers 'in the old days'. I think I'll be using on old USB drive for system start.

    What is the performance diff between the embedded and the full version? Can I find a feature list (or something like it) so I can check the difference between the two releases?



  • The only difference is that the embedded doesnt write to the disk (while normally running) and VGA is redirected to the console.
    –> You cannot install packages.



  • @karsh:

    What is the performance diff between the embedded and the full version?

    The performance only depends on the hardware you throw at it. Network throughput doesn't differ by booting from HD or CF.


Locked