GNATBox Firewall Installation Quick Reference

Introduction

This is a quick reference guide for installing the free GNATBox Light firewall. GNATBox Light is a complete hardened, stateful, BSD-based firewall that fits on a single floppy disk (how cool is that?). See below for references. You can download a Word document with some sample Avery 5196 diskette labels at http://www.jpsdomain.org/public/ /GNATBox_Diskette_Labels.doc. Also check out my Home Networking diagram and explanation at http://www.jpsdomain.org/infosec/home_networks.html.

If you are interested in firewalls, you should also check out http://m0n0.ch/wall/ a completely free and Open Source firewall platform. It is arguably better than the GNATBox in many ways, such as having a more standard (in firewall terminology) and intuitive interface, many more features, no arbitrary limits on the number of interfaces or the number of connections, etc. However, it requires more resources to run (Pentium or better, 64 MB RAM or better, and a hard drive, CD-ROM or CF-Card. Both M0n0wall and GNATBox are very cool, and both have their place, so check them both out.

What’s Needed

• 486 or better with 32 MB RAM [I’m only using 20 MB] and a floppy drive (no hard drive)
  • 2 NICs (3Com 3c509b recommended for 486/ISA)
  • You will need a keyboard and monitor for the install only

Work Sheet

* If you have a cable modem, PPPoE or other link that uses DHCP, you will not need these. + It is very helpful, but not required to know the MAC addresses of the network cards. It’s often written somewhere on the card, especially 3Com cards.

Basic Instructions (circa October 2002, updated 2006-03-06)

1. Read the about GNATBox Light (a little obsolete) at: http://www.gta.com/news/release/?n=1998-04-07.html

2. Download the installer and the documentation from http://www.gta.com/products/gblight/ and http://www.gta.com/support/documents/. There is also a FAQ at http://www.gta.com/support2/faq/, though only the “General Questions” section has much bearing on the GNATBox Lite.

3. Install the software on the machine from which you will do management. At the end of the first part of the install, you may want to unselect items you don’t need, e.g., “Make GNATBox Light PPP floppy.” Then there will be a few more simple install wizards and you’re finished.

4. Format and write a GNATBox floppy disk. (Using GBAdmin or gbMakeFloppy you can “merge” an existing configuration into the new image when you need to upgrade to a new version. See below.

5. Set the BIOS to boot without a keyboard if possible on the firewall box and boot the install floppy.

6. On the firewall box itself, follow the GNATBox setup wizard to configure the firewall.

   1. Set the host name.
   2. Enter the external and internal IP addresses and subnet masks as needed. If you have a cable modem, use DHCP on the external address.
   3. Hit the space bar to select a different interface for the PROtected interface (it defaults to the one you probably already used for the external interface).
   4. Hit the space bar to skip setting up a private service network (PSN/DMZ). This is not available in the free version (neither is VPN).
   5. Set the default route (next hop) if necessary.
      • On older versions, do not set it if using DHCP externally.
      • On newer versions, set it to the Interface object of the connection (e.g. <EXTERNAL>).
   6. Set the password for the administration account.
   7. Save the configuration when finished.
   8. When the firewall finishes loading, try ALT-F1, ALT-F2, and ALT-F3:
      • Screen 1: log messages
      • Screen 2: console admin tool
      • Screen 3: network stats

7. Next, connect to the firewall from the management machine. Launch GBAdmin → File → Open → Network → enter the firewall’s IP. Default admin user: gnatbox. Password: whatever you set earlier.

   1. While there is a web GUI, the fat client is usually easier. You can also disable the web GUI entirely to reduce attack surface.

8. Register your GNATBox Light (recommended; free). This lifts some restrictions. I’ve never received spam traceable to GTA. It is essential that you enter the correct MAC address of the PROtected interface. Locate it in Network Information under Physical Interfaces. Example format: 08:00:2b:9a:94:3a. You can also find it under “Reports → Configuration” and safely copy/paste it.

   1. Go to http://www.gta.com/products/regGblight/ and fill out the form.
   2. Enter the PROtected MAC address. You will see the registration code immediately and also via email.
   3. Go to “Basic Configuration → Features”.
   4. Add the registration code (green plus on toolbar or Edit → Insert). The description will stay “?????” until you exit and re-enter the admin interface.
   5. Go to “Basic Configuration → Preferences”.
   6. Paste the serial number and complete remaining fields.

9. Explore the interface. Each main heading has a summary/help page. Pay special attention to Reports and System Activity.

10. Review the configuration:

    1. Basic Configuration → DNS: configure as needed.
    2. Basic Configuration → Features: only the activation code matters.
    3. Basic Configuration → Preferences: enter name, email, serial number, support email.
    4. Services → E-Mail Proxy: configure if mail is delivered to an internal server.
    5. Services → Remote Logging: see “Remote Logging”.
    6. Authorization → Admin Accounts: manage admin users/passwords.
    7. Authorization → Remote Admin/Authentication: A web server on port 80 is enabled by default. I usually disable this, as it is not SSL (free version) and only accessible internally.
    8. Authorization → VPNs: not available in the free version.
    9. Content Filtering: proxies and filtering (e.g., CyberPatrol), HTTP proxy (traditional or transparent).
    10. Routing: configure RIP/static routes if needed.
    11. Objects → Addresses: define objects for use in rules.
    12. Objects → VPN: usually disable (VPN not available in free edition).
    13. Filters → Outbound: verify outgoing rules. Default allow‑all may be too permissive.
    14. Filters → Preferences → Email Server: Configure SMTP alerts; otherwise disable the alarm on rule 17.
    15. Filters → Protocols: defines protocols; typically unchanged.
    16. Filters → Remote Access (incoming rules): Carefully verify what is allowed inbound.
    17. Disable rule 4 (unrestricted in/out DNS).
    18. Rule 7 blocks junk (e.g., UPnP discovery).
    19. Disable rule 13 or set to deny (Ident/auth protocol—obsolete).
    20. Consider rule 14 (ICMP to the firewall).
    21. Rule 17 = cleanup rule: deny & log everything not previously allowed.
    22. Filters → Time Groups: define time-based rule groups.
    23. IP Passthrough: bypass NAT—rarely appropriate.
    24. NAT: configure NAT behavior.
    25. NAT → Inbound Tunnels: PAT/port‑forwarding. Useful but dangerous.
    26. Runtime → Version: shows runtime image version.
    27. Reports → Verification: resolve configuration issues.
    28. Reports → Hardware: details about the firewall hardware.
    29. Reports → Configuration: copy/paste a readable config backup.
    30. System Activity: operational metrics.
    31. Links: various helpful URLs.

11. Save the configuration to the floppy.

12. You now have a basic firewall set up.

Hints

• You can save and open GNATBox configurations from the network (to the firewall itself), any number of floppies, and files on the local hard drive. Since the entire firewall system resides on a single floppy, this makes the back-out plan when upgrading absurdly simple–put the old floppy back in and reboot. Likewise, in a test lab, you can have any canned firewall config you want just by using a different floppy.
• Backup the system by creating a backup floppy. This is also great for testing! Open the existing configuration from the local drive, then switch floppies and save both “Configuration” and “Runtime.” Or, you can open a firewall over the network, save the config as a file, then merge it to a new floppy as below.
• Merge</span an old config into a new GNATBox runtime with GBAdmin:
  1. Run the GUI admin tool.
  2. Open the firewall over the network, or the firewall floppy.
  3. Choose the File, Merge menu.
  4. Load the old config file or floppy.
  5. Verify the configuration, then save the merged config.
• “Merge” an old config into a new GNATBox runtime with gbMakeFloppy.
  1. Run “Make GB Lite Floppy”
  2. Click the control menu (icon in the title bar, in the upper left, directly left of the text “GNATBox Make Floppy”) and chose the appropriate option.
• See the GNATBox Forums at http://forum.gnatbox.com/.

Remote Logging

OK, one very important thing we have not talked about is logging. Since the GNATBox uses a single floppy disk, it has no room for local logging. It can log to memory, but that usually runs out pretty fast too. So a remote loghost is great. If you already have a syslog sever (all UNIXs have one) you can use that (see the resources section for syslog server configuration). If not, GNATBox Lite used to come with one for Windows, but that seem not to be the case any more. See Windows Syslog Servers below for solutions.

1. In Services, Remote Logging: Enable logging.
2. Enter the IP address and port (514) of your syslog server. The defaults are not bad, so I’d start with them.
3. If you are using a UNIX syslog and understand facilities, you can configure those as needed. See the RedHat example below.
4. If you are using a Windows syslog, you are probably not logging anything but the GNATBox, so it’s not worth changing facilities.

Advanced Resources

RedHat Syslog & Sendmail configuration

This was tested using RedHat 7.1 and 7.2 but should be similar for most distributions.

syslog

On your RedHat box:

• mkdir -p /var/log/gnatbox
• Edit /etc/syslog.conf and add the following:

  # Save GNATBox Firewall logs/messages
  local0.\* /var/log/gnatbox/nat.log
  local1.\* /var/log/gnatbox/filter.log
  local2.\* /var/log/gnatbox/www.log

• Edit /etc/sysconfig/syslog and add -r to enable listening to the network like so: SYSLOGD\_OPTIONS="-m 0 -r"
• Restart syslog.

Logrotate

Create /etc/logrotate.d/gnatbox with the following contents:

# gnatbox - Logrotation config file
# v1.0 23-Jul-2000 JPV
# v1.1 09-Aug-2000 JPV Bugfix - corrected killall path
# v1.2 2002-04-07 JPV Changed from 15 weeks to various
# v1.3 2002-05-27 JPV Updated to correct e-mail address, then commented, as
#       'errors' is deprecated

# Global Options
compress
notifempty
olddir /var/log/gnatbox/archive

/var/log/gnatbox/filter.log {
    rotate 52
    weekly
}

/var/log/gnatbox/???.log {
    rotate 6
    weekly
    postrotate
        /usr/bin/killall -HUP syslogd
    endscript
}

sendmail

NOTE, this will open up your mail server to listen to all addresses that can reach it. Only do this on an internal mail server, and if you really understand what it does!

• You will need to have the sendmail-cf rpm installed.
• Edit the following line in /etc/mail/sendmail.mc Change: DAEMON\_OPTIONS(\Port=smtp,Addr=127.0.0.1, Name=MTA’)**To:**dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)`
• Run this command to regenerate sendmail.cf, then restart sendmail. m4 /etc/mail/sendmail.mc \> /etc/sendmail.cf
• Edit /etc/hosts.allow and add or change to the following: {replace nnn.nnn.nnn. with your network} sendmail: nnn.nnn.nnn. : ALLOW OR: sendmail: ALL : ALLOW

Windows Syslog Servers

GNATBox Light comes with a free Windows Syslog server, but here are some others too.

• Free SysLog daemon or service for NT
• FREE SysLog for Windows
• A List of Windows Syslog servers

Dynamic DNS Services

Stolen directly from DynDNS.org:

“Just got your cable installed? Itching to have a personal site on your DSL? Want to control your own e-mail? Don’t want to have to tell friends about that annoying changing IP address or ISP- assigned hostname? We can help!

“Our Dynamic DNS and Static DNS services give you a new name - yourname.dyndns.org, for example, or you can choose from several other domains. Sign up, pick a hostname, download one of our selection of third-party update clients, and you’re on your way! Best of all, these services are totally free for up to 5 hostnames each. Up to 20 hostnames in each service are available to donators.”

• DynDNS (Free)
• Tzo
• Zoneedit
• EasyDNS
• Yi ($$$)
• DynDNS ($$$)