GNATBox Firewall Installation Quick Reference

Introduction

This is a quick reference guide for installing the free GNATBox Light firewall. GNATBox Light is a complete hardened, stateful, BSD-based firewall that fits on a single floppy disk (how cool is that?). See below for references. You can download a Word document with some sample Avery 5196 diskette labels at http://www.jpsdomain.org/public/ /GNATBox_Diskette_Labels.doc. Also check out my Home Networking diagram and explanation at http://www.jpsdomain.org/infosec/home_networks.html.

If you are interested in firewalls, you should also check out http://m0n0.ch/wall/ a completely free and Open Source firewall platform. It is arguably better than the GNATBox in many ways, such as having a more standard (in firewall terminology) and intuitive interface, many more features, no arbitrary limits on the number of interfaces or the number of connections, etc. However, it requires more resources to run (Pentium or better, 64 MB RAM or better, and a hard drive, CD-ROM or CF-Card. Both M0n0wall and GNATBox are very cool, and both have their place, so check them both out.

What's Needed

  • 486 or better with 32 MB RAM [I'm only using 20 MB] and a floppy drive (no hard drive)
    • 2 NICs (3Com 3c509b recommended for 486/ISA)
    • You will need a keyboard and monitor for the install only

Work Sheet

* External IP Address: + External MAC Address:
* External subnet mask: * Default Gateway
ISP DNS 1: ISP DNS 2:
Internal (PROtected) IP Address: + Internal MAC Address:
Internal subnet mask:

* If you have a cable modem, PPPoE or other link that uses DHCP, you will not need these.
+ It is very helpful, but not required to know the MAC addresses of the network cards. It's often written somewhere on the card, especially 3Com cards.

Basic Instructions (circa October 2002, updated 2006-03-06)

  1. Read the about GNATBox light (a little obsolete) at:
    http://www.gta.com/news/release/?n=1998-04-07.html
  2. Download the installer and the documentation from: http://www.gta.com/products/gblight/ and http://www.gta.com/support/documents/.
    There is also a FAQ at http://www.gta.com/support2/faq/, though only the "General Questions" section has much bearing on the GNATBox Lite.
  3. Install the software on the machine from which you will do management. At the end of the first part of the install, you may want to unselect items you don't need, e.g. "Make GNATBox Light PPP floppy." Then there will be a few more simple install wizards and you're finished.
  4. Format and write a GNATBox floppy disk. (Using GBAdmin or gbMakeFloppy you can "merge" an existing configuration into the new "image" when you need to upgrade to a new version. See below.)
  5. Set the BIOS to boot without a keyboard if possible on the firewall box and boot the install floppy.
  6. On the firewall box itself, follow the GNATBox setup wizard to configure the firewall.
    1. Set the host name.
    2. Enter the external and internal IP Addresses and subnet masks as needed. If you have a cable modem, use DHCP on the external address.
    3. Hit the space bar to select a different interface for the PROtected interface--it defaults to the one you probably already used for the external interface.
    4. Hit the spacebar to skip setting up a private service network (PSN, AKA DMZ)--that is not a feature in the free version (niether is a VPN).
    5. Set the default route (AKA next hop) if necessary. This is for the external side only. If you are using DHCP on the outside you should not set it on older GNATBox versions. On newer versions, you set it to the "Interface object" of the connection (i.e. <EXTERNAL>)
    6. Set the password for the administration account.
    7. Save the configuration when finished.
    8. When the firewall finishes loading, try pressing ALT-F1, ALT-F2, and ALT-F3 on the console. The first screen is log messages, the second is the console admin tool, and the third is network stats.
  7. Next, connect to the firewall from the management machine. Launch GBAdmin and choose File, Open. Select the Network radio button and enter the IP address of the firewall. The default admin account is 'gnatbox', and the password is whatever you entered in the wizard. You can change both later.
    1. While there is a web GUI, I prefer to use the fat client as I think it is a little easier, and if you turn off the web GUI, it makes it that much more difficult for anyone to try to connect to your firewall from the inside.
  8. Register your GNATBox light. This increases some of the restrictions, and is free. I've never gotten any SPAM I can trace to them from this. It is most important that you correctly enter the MAC address of your PROtected network interface. To find the MAC Address of your PROtected network interface go to the Network Information screen using any of the User Interface tools (Console, Web or GBAdmin). Look in the Physical Interfaces section for the network interface card that you have assigned to the PROtected network interface. The MAC address will be display there as a set of 12 characters in six sets of two separated by colons. (Example: 08:00:2b:9a:94:3a). You should enter the MAC address exactly as it appears. You can cheat by going to the "Reports" section, then to Configuration. You can copy and paste from that report. Just make sure you copy the correct MAC address.
    1. Surf to http://www.gta.com/products/regGblight/ fill in the form.
    2. Enter the PROtected MAC address as above. You will immediately get the registration number in your web browser and a copy will be e-mailed to you as well.
    3. Go to the "Basic Configuration, Features" screen.
    4. Hit the green plus on the tool bar, or use Edit, Insert. Paste the registration code into the box. Note, the feature description will remain "?????" until you exit and come back into the admin interface.
    5. Go to the "Basic Configuration, Preferences" screen.
    6. Paste the serial number in, and fill out the rest of the boxes.
  9. Explore the interface. When you click on a main heading, you get a summary/help page. Especially check out the Reports and System Activity sections.
  10. Review the configuration:
    1. Basic Configuration, DNS: Configure and enable as needed.
    2. Basic Configuration, Features: Only the activation code is needed here.
    3. Basic Configuration, Preferences: Enter at least a name, Email address, Serial number and support email address. (Should have already entered at least the serial number)
    4. Services, E-Mail Proxy: Configure and enable as needed. If you have a small network and you receive e-mail to a server inside the firewall, you definitely want this! For home use or when e-mail is hosted elsewhere, it's probably not needed.
    5. Services, Remote Logging: We'll get back to this.
    6. Authorization, Admin Accounts: You can change the admin account name or password here, or create new accounts with various rights.
    7. Authorization, Remote Admin/Authentication: Configure how you can administer the box. By default a web server on port 80 is enabled. I usually disable this since it is not using SSL (in the free version). It is only accessible from the internal network, but...
    8. Authorization, VPNs: Not applicable for the free version.
    9. Content Filtering: Various proxy and content filtering options, including CyberPatrol (extra cost). It also includes an HTTP proxy, which operates in either traditional (which you must configure browsers to use) or transparent (which requires no changes to browsers!).
    10. Routing: Allows you to configure RIP and/or static routes if needed.
    11. Objects, Addresses: You can create objects to describe your environment that may be used in rules (more below).
    12. Objects, VPN: I usually disable this object, since the VPN is not enabled in the free version.
    13. Filters, Outbound (i.e. outgoing rules): Verify the rules. Basically, the default rules allow everything outbound, which may not really be what you want. Firewall best practices dictate that you be as specific as possible is what traffic is allowed in and out of your network. For example, many trojans attempt to communicate out to the world on TCP or UDP port 53, assuming that many firewalls allow unrestricted outgoing DNS.
    14. Filters, Preferences, Email Server tab: If you have an SMTP server (e.g. Exchange), you can have the GNATBox e-mail alerts to you. If you do not configure this, you will need to remove the "alarm" on outgoing rule 17.
      There are lots of other neat things in these various tabs too.
    15. Filters, Protocols: Defines protocols. Pretty much never do anything here.
    16. Filters, Remote Access (i.e. incoming rules): Verify the rules! These are the rules that allow traffic into your network. Make sure you understand exactly what they are doing!
      1. Disable rule 4, which allows unrestricted incoming and outgoing DNS (53/UDP). You almost certainly want to disable this rule! (Rule 2 is OK, as it is only outgoing, unless you are being as specific as you should be with outgoing rules.)
      2. Rule 7 is a great rule to block but not log or alert on a bunch of trash, including 1900/UDP, which is Windows XP UPnP discovery. I had to create that rule manually in an earlier version because I was getting an alert e-mail every few seconds after I stupidly installed a "security patch" from Microsoft on an XP test box.
      3. Disable rule 13, or change it to "deny." Ident (AKA auth) is an obsolete UNIX protocol often used by SMTP and FTP servers in a lame attempt to discover who owns the process that is trying to talk to them. Note if the ident attempt is not rejected, it can cause delays of up to 2 minutes for the process to fail. However, I always disable this rule and have not had a problem.
      4. Consider rule 14, you may or may not want to deny ICMP access to the firewall.
      5. Rule 17 is the "cleanup" rule (in Checkpoint-speak) that denies and logs anything not already allowed.
    17. Filters, Time Groups: You can create time groups, then do various things with them with the rules.
    18. IP Passthrough: Allows you to bypass NAT if necessary. This is probably not what you want to do in a small environment with the free version. It might make sense with a commercial version with a DMZ (PSN).
    19. NAT: In general allows you to configure aspects of NAT.
    20. NAT, Inbound Tunnels: This is very useful, and very dangerous. It allows you to do PAT (Port Address Translation), which means you can re-direct incoming traffic from your firewall to a machine on your internal network. This can be useful, but it also allows traffic to come into your network. Be very sure you know what you're doing with this. (Note, many ISPs have service contracts that prohibit you from running servers anyway.) I forward an arbitrary port from my firewall address to port 22/TCP on my services server. Thus, I can SSH into my server from anywhere.
    21. Runtime, Version: Gives you the version of the runtime image you are currently using.
    22. Reports, Verification: Find and resolve any problems with your config. A yellow or red light by a section shows a problem. Green lights are good. White lights are features which are not configured (and many are not available in the free version).
    23. Reports, Hardware: Gives you some basic information about the hardware of your firewall server.
    24. Reports, Configuration: Cut & Paste the config report into Notepad and save it, so you have a more or less Human readable copy of your config.
    25. System Activity: All kinds of information about what the server is doing.
    26. Links: Various URLs.
  11. Save the configuration to the floppy.
  12. You now have a basic firewall set up.

Hints

  • You can save and open GNATBox configurations from the network (to the firewall itself), any number of floppies, and files on the local hard drive. Since the entire firewall system resides on a single floppy, this makes the back-out plan when upgrading absurdly simple--put the old floppy back in and reboot. Likewise, in a test lab, you can have any canned firewall config you want just by using a different floppy.
  • Backup the system by creating a backup floppy. This is also great for testing! Open the existing configuration from the local drive, then switch floppies and save both "Configuration" and "Runtime." Or, you can open a firewall over the network, save the config as a file, then merge it to a new floppy as below.
  • "Merge" an old config into a new GNATBox runtime with GBAdmin:
    1. Run the GUI admin tool.
    2. Open the firewall over the network, or the firewall floppy.
    3. Choose the File, Merge menu.
    4. Load the old config file or floppy.
    5. Verify the configuration, then save the merged config.
  • "Merge" an old config into a new GNATBox runtime with gbMakeFloppy.
    1. Run "Make GB Lite Floppy"
    2. Click the control menu (icon in the title bar, in the upper left, directly left of the text "GNATBox Make Floppy") and chose the appropriate option.
  • See the GNATBox Forums at http://forum.gnatbox.com/.

Remote Logging

OK, one very important thing we have not talked about is logging. Since the GNATBox uses a single floppy disk, it has no room for local logging. It can log to memory, but that usually runs out pretty fast too. So a remote loghost is great. If you already have a syslog sever (all UNIXs have one) you can use that (see the resources section for syslog server configuration). If not, GNATBox Lite used to come with one for Windows, but that seem not to be the case any more. See Windows Syslog Servers below for solutions.

  1. In Services, Remote Logging: Enable logging.
  2. Enter the IP address and port (514) of your syslog server. The defaults are not bad, so I'd start with them.
  3. If you are using a UNIX syslog and understand facilities, you can configure those as needed. See the RedHat example below.
  4. If you are using a Windows syslog, you are probably not logging anything but the GNATBox, so it's not worth changing facilities.

Advanced Resources

RedHat Syslog & Sendmail configuration

This was tested using RedHat 7.1 and 7.2 but should be similar for most distributions.

syslog

On your RedHat box:

  • mkdir -p /var/log/gnatbox
  • Edit /etc/syslog.conf and add the following:
    # Save GNATBox Firewall logs/messages
    local0.* /var/log/gnatbox/nat.log
    local1.* /var/log/gnatbox/filter.log
    local2.* /var/log/gnatbox/www.log
  • Edit /etc/sysconfig/syslog and add "-r" to enable listening to the network like so:
    SYSLOGD_OPTIONS="-m 0 -r"
  • Restart syslog.

Logrotate

  • Create /etc/logrotate.d/gnatbox with the following contents
# gnatbox - Logrotation config file
# v1.0 23-Jul-2000 JPV
# v1.1 09-Aug-2000 JPV Bugfix - corrected killall path
# v1.2 2002-04-07 JPV Changed from 15 weeks to various
# v1.3 2002-05-27 JPV Updated to correct e-mail address, then commented, as
#       'errors' is deprecated

# Global Options
compress
notifempty
olddir /var/log/gnatbox/archive

/var/log/gnatbox/filter.log {
    rotate 52
    weekly
}

/var/log/gnatbox/???.log {
    rotate 6
    weekly
    postrotate
        /usr/bin/killall -HUP syslogd
    endscript
}

sendmail

NOTE, this will open up your mail server to listen to all addresses that can reach it. Only do this on an internal mail server, and if you really understand what it does!

  • You will need to have the sendmail-cf rpm installed.
  • Edit the following line in /etc/mail/sendmail.mc
    Change: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
    To: dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
  • Run this command to regenerate sendmail.cf, then restart sendmail.
    'm4 /etc/mail/sendmail.mc > /etc/sendmail.cf'
  • Edit /etc/hosts.allow and add or change to the following:
    {replace nnn.nnn.nnn. with your network} sendmail: nnn.nnn.nnn. : ALLOW
    OR: sendmail: ALL : ALLOW

SME Server configuration

I have not really tested these options, so use with caution!

  • This will log all messages into the syslog "messages" file: edit /etc/e-smith/templates/etc/sysconfig/syslog/10NoMARKs and add "-r" to enable listening to the network like so:
    SYSLOG_OPTS="-m 0 -r"
  • Sendmail is not installed, but qmail/smtpfwd are already listening correctly.
  • Logrotate should not be needed, as SME Server already takes care of rotating the messages log.

Windows Syslog Servers

GNATBox Light comes with a free Windows Syslog server, but here are some others too.

Dynamic DNS Services

Stolen directly from DynDNS.org:

"Just got your cable installed? Itching to have a personal site on your DSL? Want to control your own e-mail? Don't want to have to tell friends about that annoying changing IP address or ISP- assigned hostname? We can help!

"Our Dynamic DNS and Static DNS services give you a new name - yourname.dyndns.org, for example, or you can choose from several other domains. Sign up, pick a hostname, download one of our selection of third-party update clients, and you're on your way! Best of all, these services are totally free for up to 5 hostnames each. Up to 20 hostnames in each service are available to donators."