Permanently disabling network for air gap

gomster

gomster

I'm making an airgapped machine. its my first one. Freebsd will probably be fine for my needs on it, but I was also looking at Slackware linux. I have a dvd image of freebsd. When I install freebsd, if i dont set up nor lan nor wifi, is that basically it? Even if i plugged the disk into another pc, it would not have internet access? Would i need to disable e.g. bluetooth as well or is that not enabled by default? Are there any other services that should be disabled on an airgapped computer?
 
gomster said:
When I install freebsd, if i dont set up nor lan nor wifi, is that basically it?
Click to expand...
Interfaces are set to 'down' by default. As long as you don't configure them they're effectively disabled. But this isn't going to stop anyone from sticking a cable in it and running ifconfig(8) or dhclient(8) though.
gomster said:
Would i need to disable e.g. bluetooth as well or is that not enabled by default?
Click to expand...
Should be disabled by default. You can always check what the default settings are by looking at /etc/defaults/rc.conf. And it's not going to hurt if you explicitly disable it in /etc/rc.conf. But again, it's not going to stop anyone from logging in and just starting these services by hand.

So if you really want to make sure it's airgapped and can never be enabled, then the best course of action would be to use a computer that doesn't have a network or bluetooth interface at all. If it's physically not there it can obviously never be enabled.

Edit: To add to this, watch out for USB ports too. It's really easy to stick a wired/wireless network or bluetooth interface in it. So you might want to run a custom kernel with all the wired/wireless/bluetooth drivers removed and prevent kernel modules from being loaded.
 
You could build a custom kernel with INET and INET6 turned off (commented out).
/usr/src/sys/amd64/conf/GENERIC
Code: 
options     INET            # InterNETworking
options     INET6            # IPv6 communications protocols
 
What do you intend to do with the machine? What data will you need for it? If it creates data, where will it go?

I think it was Dijkstra who said "all programs produce output, most also use input".
 
SirDice said:
Interfaces are set to 'down' by default. As long as you don't configure them they're effectively disabled. But this isn't going to stop anyone from sticking a cable in it and running ifconfig(8) or dhclient(8) though.

Should be disabled by default. You can always check what the default settings are by looking at /etc/defaults/rc.conf. And it's not going to hurt if you explicitly disable it in /etc/rc.conf. But again, it's not going to stop anyone from logging in and just starting these services by hand.

So if you really want to make sure it's airgapped and can never be enabled, then the best course of action would be to use a computer that doesn't have a network or bluetooth interface at all. If it's physically not there it can obviously never be enabled.

Edit: To add to this, watch out for USB ports too. It's really easy to stick a wired/wireless network or bluetooth interface in it. So you might want to run a custom kernel with all the wired/wireless/bluetooth drivers removed and prevent kernel modules from being loaded.
Click to expand...
Thanks for explaining. The machine will be used by me only and the disk will be encrypted and I wont enable them although I get your point. If i went for the custom kernel solution, I'm guessing that i would have to customize the kernel myself? A custom kernel has been something that I've wanted to do for quite some time now, even back on linux. Where should i start? Are there any guidelines/tutorials in the handbook or other documentation?
 
mark_j said:
You could but then you break all internal networking. Unless that is the goal as well?
Click to expand...
Did you mean services? My intention is not to break anything, I just intend to disable communications with the outside- internet, bluetooth...
 
ralphbsz said:
What do you intend to do with the machine? What data will you need for it? If it creates data, where will it go?

I think it was Dijkstra who said "all programs produce output, most also use input".
Click to expand...
I intend to keep and edit some data. You make a good point, but the data created will probably just stay on the machine as i dont need to send it anywhere. I just need to view it and perhaps edit it, which in my case will not require anything else than vim and maybe a couple other simple programs.
 
It depends on how you define air gap. To me: post-installation AND pre-reboot (first time) [*], I put these in

/etc/rc.conf
Code: 
firewall_enable="YES"
firewall_type="closed"

[*] Footnote:
i.e. last stage: Manual Configuration
The installation is now finished. Before exiting the installer, ...

Press [YES] to exit to a shell within the new system.
 
gomster said:
I'm guessing that i would have to customize the kernel myself? A custom kernel has been something that I've wanted to do for quite some time now, even back on linux. Where should i start? Are there any guidelines/tutorials in the handbook or other documentation?
Click to expand...
Start here: Chapter 8. Configuring the FreeBSD Kernel

It can look a little daunting at first but you'll get the hang of it. Once you know how it works it's actually quite easy. One downside you're going to run into is that there's no good 'dependency' tracking of the configuration, so if you removed something and another module depends on it you're only going to find out half way through the build. It's not going to warn you before you start the actual build. All devices should have man pages, in those you can lookup if a device depends on others.
 
Make sure you do NOT edit GENERIC. Make your own config like the handbook shows.
I will substitute the MYKERNEL name used in the handbook with NONET.
I find it useful to make your new kernel with some readily apparent name in regards to the modification I made.
Code: 
# cd /usr/src/sys/amd64/conf
# cp GENERIC NONET
This will copy GENERIC file to new file NONET

Now you have a GENERIC kernconf unaltered and you will have a custom kernel config NONET.
In case you mess up bad you can still boot up off GENERIC kernel from the loader prompt..

Now edit your NONET config to drop INET/INET6 and make sure you change the 'ident' line to NONET (From original setting of GENERIC)
I will use FreeBSD easy editor named ee. It is FreeBSD's simple editor like Nano. If you feel more at home with vi then use it instead.
ee /usr/src/sys/amd64/conf/NONET

Add a pound sign in front of these entries like so to comment them out and add your custom kernconf.
Code: 
#ident       GENERIC
ident        NONET
#options    INET            # InterNETworking
#options    INET6            # IPv6 communications protocols

Now follow the handbooks compiling instructions.
Code: 
cd /usr/src
make buildkernel KERNCONF=NONET
make installkernel KERNCONF=NONET

There is a chance things could break with this. You will need to test.
My opinion is that instead of removing all network interfaces and every net service just cut right to the top.
INET. It is the top level service for networking.
You may have to change your kernconf until you get it right. That is what a custom kernel is about.
 
In case it goes wrong, and you can't boot, the troubleshooting page has some info.
I changed this slightly. Saving the GENERIC kernel right before the changes to allow rollback or a maintenance mode with ethernet connection.

ADDENDUM:
Code: 
cp -vipr /boot/kernel /boot/kernel.generic
cd /usr/src
make buildkernel KERNCONF=NONET
make installkernel KERNCONF=NONET
Reboot and test your new kernel.

This will backup your GENERIC kernel. The GENERIC kernel now consists of everything in the /boot/kernel.generic directory.

So to call it up by the loader prompt at the Beastie Menu press #3 'Escape to loader prompt' and type this command.

OK boot kernel.generic <Hit Enter Key to Boot>

This will boot GENERIC kernel while NONET is set as default.
 
Well I guess you could just comment out all the network adapters. That would save the loop adapter.

So comment out all adapters under these categories:
# PCI Ethernet NICs.
# PCI Ethernet NICs that use the common MII bus controller code.
# Wireless NIC cards

I really don't think you need to axe USB if all wifi drivers are excluded. Firewire is lost art.

To remove bluetooth fully you need to recompile&install world with bluetooth excluded.
/etc/make.conf
WITHOUT_BLUETOOTH=
 
egrep -nw '(io|INET)' /usr/src/sys/amd64/conf/*
Code: 
/usr/src/sys/amd64/conf/DEFAULTS:13:device              io              # I/O device
/usr/src/sys/amd64/conf/GENERIC:31:options      INET                    # InterNETworking
/usr/src/sys/amd64/conf/MINIMAL:44:options      INET                    # InterNETworking
Also note that IIRC e.g. HDMI can not only be used for video & audio, but networking, too. So removing all network drivers & disabling kernel module loading via securelevel(7) would be the only option. 2nd note that you can't disable the ME, which has access to all devices by definition...

Then after you cut off any external communication interfaces off that system, install an AI onto that box, and let it ponder about it's means of existence & usefulness...
 
Just a remark: copying and editing GENERIC is NOT recommended. Chances are your configuration will be broken with the next release. Instead, create a new config and add include GENERIC and ident NONET (to keep the example above).

Things can be disabled with nodevice and nooptions, overriding what is written in GENERIC.
 
You'll also have to delete /boot/kernel.old, ppp(8), cu(1), and all means of PLIP & SLIP (see ifconfig(8)). This seems to be a really strange, maybe weird, freaky & quirky project? You'll have your reasons. Consult military grade security experts? If someone really wants to, they could read your keystrokes by sniffing the radio waves resulting from the data sent across the wire of your keyboard, or the wire to your screen... That box had to be placed inside a Faraday's cage... etc.pp.
 
Personally, I find the idea of kernel reconfiguration to be very overkill. I would use a server motherboard; those don't have WiFi or Bluetooth. And then simply not plug any ethernet cable in. To me, that seems much reliable: A human using the Mark I eyeball can verify that there is no connectivity, by looking at the empty ethernet connector. And make sure to never plug anything into the USB socket that could be used to communicate ... whether it's a a storage device or ethernet dongle. This seems more reliable than using a software solution, which can be easily defeated, and that is harder to verify.

Anecdote: I used to work in places that are quite security conscious. In those places, you are only allowed to connect things to the network whose Mac address has been registered with the network security people, and that are running officially approved OS versions. So the database might have said "Ethernet port room 123-A is connected to mac address 01:23:45:67:89:01, runs RHEL Linux version 13 with kernel 3.14159, and gets IP address 9.1.2.3". And the network security people ran scanners, so connecting a machine to the wrong wall outlet, or running the wrong OS version, would get your machine disabled and your phone would ring.

The problem is that we had a few machines that couldn't run the approved kernel versions, because we used them for kernel debugging (we were developing kernel code after all). To make the network security auditors happy, I prepared bright orange stickers, which we glued over the ethernet ports, and that said "DO NOT CONNECT TO NETWORK! Running experimental kernel version, for debugging only". The security auditors were very happy how security-conscious our group was, and they liked the day-glo orange color: easy to see that we are complying with the rules. Obviously, we didn't: whenever the auditor weren't around, we connected our test machines to the network (forging plausible OS versions). That's because I had gone to the office supply store, and carefully selected stickers with very weak glue, which can be peeled off and put back on.
 
ralphbsz said:
The security auditors were very happy how security-conscious our group was, and they liked the day-glo orange color: easy to see that we are complying with the rules. Obviously, we didn't: whenever the auditor weren't around, we connected our test machines to the network (forging plausible OS versions). That's because I had gone to the office supply store, and carefully selected stickers with very weak glue, which can be peeled off and put back on.
Click to expand...
ralphbzd! I am surprised at you ! Pleasantly. ?

I have 7 laptops running FreeBSD, 1 Win10Pro for gaming and one Kali Linux for educational purposes. I disable all wi-fi and Bluetooth, place blue painters tape over my camera lens, always dd a new USB stick before using it and never insert one I didn't buy into my machines.

I run an Ethernet LAN into a router that will only allow a MAC address I've set it to recognize or there is no Internet access allowed. Every so often I unplug the power cord from my cable modem so it will reset my IP# when I power it back up..

When I su to become root I might even unplug the cable before doing to. Having all laptops it's within hand movement and easy to do so.

We have a wi-fi hotspot in our building I can't access from my apartment. I have my own computers and Internet access so beyond having an occasional wi-fi look-see with Kali while not connected to my LAN the rest doesn't interest me.
 
You must log in or register to reply here.
Back
Top