about
minisoekris is based on the OpenSoekris project with the goal of a minimal
installation taken to the extreme. the target size of the installation is
an 8MB CF card.
security
minisoekris has both good security and none at all. remote logins via sshd,
telnetd, etc are entirely impossible. nothing ever listens on any socket.
however, it's entirely up to the serial console server, which controls logins.
the minisoekris OS has no authentication mechanisms at all, meaning anyone
who has access to the serial port has access to the entire device.
functionality
minisoekris is a minimal router, firewall, and NAT device. it uses static
routing, but can also accomodate RIPv1 and RIPv2 via routed. interactions
are done via nsh, the network shell.
minisoekris can also act as a bridge using nsh, as well.
an example session is shown in this
session capture of the current system i'm using as my firewall. note that
i have dhcp enabled on my external interface and have yet to fix up my
pf integration. still, not bad for a few hours' worth of work.
minisoekris does not support: GRE tunnels, IPSec, or authpf.
building
the minisoekris.sh script builds the needed filesystem for you. it expects
a NET4501 kernel and the ../addon/nsh/nsh binary to already be built. run
this script as root.
currently the minisoekris script does not do the physical installation on
the CF device. for that you need to disklabel, newfs, copy files, and
run installboot yourself. this is forthcoming.
todo
- integrate PF nicely
firewall subcommands, example ...
- pass in proto tcp ...
- no pass in proto tcp ...
- NAT subcommands, example ...
- rdr on sis0 from any to any port 80 -> 10.10.10.10 port 80
- no rdr on sis0 from any to any port 80 -> 10.10.10.10 port 80
- integrate routed more nicely
example rip (and no rip), version 1, version 2 commands
right now all of this is only available through the (minimal) /bin/sh
interface.
download