j tan()Julia Thomas Associates

CD Bootable OpenBSD firewall

This project allows you to set up a full featured OpenBSD firewall without the use of a hard disk. The system boots from a CDROM and stores configuration information on either a floppy, or a USB mass storage device, such as a "pen drive" or a USB CompactFlash reader.

The CD also contains a simple install script, to allow you populate a floppy or UMASS device with a basic firewall configuration. Simply boot the CD, select the media you wish to use, and answer some straightforward questions.

After the initial boot, the floppy can be set read only. This provides enhanced security, because if your firewall is attacked, you simply reboot and it is restored to its previous state. Of course, you'll want to do something about the security hole that allowed the initial attack.

The latest version, based on OpenBSD 3.5, adds several new features. The firewall now provides PPTP VPN and a caching nameserver out of the box.


  • OpenBSD 3.5 NAT Firewall using PF
  • No hard disk needed
  • Automated setup
  • Can run with all media Read-Only
  • DHCP on internal LAN
  • Nameserver and Cache

To get started, download this Gzipped ISO Image (38670007 bytes). Be sure to check the MD5 Sum and its detached Signature. The ISO is really correct and really boots, so please don't bug us to solve your download problems.

Some browsers gunzip automatically on download. This is actually a feature. Should you have a browser that gunzip's behind your back, maybe your download is already unzipped. If you have 118636544 bytes, then you have the unzipped fwimage.iso itself (MD5 Sum, detached Signature).

Usage instructions

If you want to recreate the system, here are the steps. And here is a link to Kevin Lo's instructions for building a live CD with 3.7

System requirements

  • x86 compatible processor
  • 64M ram bare minimum (all writable filesystems are on ramdisks, and there's no swap)
  • CD-ROM drive
  • floppy drive, or umass device (note the current issue with umass)
  • 2 network interfaces

Known Bugs

  • umass devices aren't detected at boot time. This requires that the device be unplugged and replugged during the boot process. This seems to be an OpenBSD issue with how the kernel probes usb devices. (HELP WANTED ON THIS ISSUE!)
  • UMASS device may detect as device not in /dev on CD
  • Check the procedure given for recreating the system; the notes may be incomplete or erroneous in places. (SEND FEEDBACK)
  • HOME environment variable set incorrecly for root

TODO list

  • improve the install script
  • add man pages
  • add ports useful on firewalls (openvpn, squid, etc...)
  • support dhcp on external interface
  • autodetect media
All changes are distributed under the OpenBSD license, copyright 2004 Julia Thomas Associates

Services  |  Resources  |  Contact  |  News  |  Members  |  Signup


() Copyright © 1991-2004
Julia Thomas Associates, Inc.
All rights reserved
All use of this site subject to terms.