# Permanently disabling network for air gap



## gomster (Mar 13, 2021)

I'm making an airgapped machine. its my first one. Freebsd will probably be fine for my needs on it, but I was also looking at Slackware linux. I have a dvd image of freebsd. When I install freebsd, if i dont set up nor lan nor wifi, is that basically it? Even if i plugged the disk into another pc, it would not have internet access? Would i need to disable e.g. bluetooth as well or is that not enabled by default? Are there any other services that should be disabled on an airgapped computer?


----------



## SirDice (Mar 13, 2021)

gomster said:


> When I install freebsd, if i dont set up nor lan nor wifi, is that basically it?


Interfaces are set to 'down' by default. As long as you don't configure them they're effectively disabled. But this isn't going to stop anyone from sticking a cable in it and running ifconfig(8) or dhclient(8) though. 


gomster said:


> Would i need to disable e.g. bluetooth as well or is that not enabled by default?


Should be disabled by default. You can always check what the default settings are by looking at /etc/defaults/rc.conf. And it's not going to hurt if you explicitly disable it in /etc/rc.conf. But again, it's not going to stop anyone from logging in and just starting these services by hand.

So if you really want to make sure it's airgapped and can never be enabled, then the best course of action would be to use a computer that doesn't have a network or bluetooth interface at all. If it's physically not there it can obviously never be enabled.

Edit: To add to this, watch out for USB ports too. It's really easy to stick a wired/wireless network or bluetooth interface in it. So you might want to run a custom kernel with all the wired/wireless/bluetooth drivers removed and prevent kernel modules from being loaded.


----------



## Eric A. Borisch (Mar 13, 2021)

See also the _kern_securelevel_. init(8).


----------



## mark_j (Mar 13, 2021)

Simple. Remove all network & usb & firewire from the GENERIC kernel config and then make it. Set securelevel to 3. Done.


----------



## VladiBG (Mar 13, 2021)

Don't forget to disable out of band management network, like Intel AMT, ILO, IPMI etc. from your Bios.


----------



## Phishfry (Mar 13, 2021)

You could build a custom kernel with INET and INET6 turned off (commented out).
/usr/src/sys/amd64/conf/GENERIC

```
options     INET            # InterNETworking
options     INET6            # IPv6 communications protocols
```


----------



## mark_j (Mar 14, 2021)

You could but then you break all internal networking. Unless that is the goal as well?


----------



## ralphbsz (Mar 14, 2021)

What do you intend to do with the machine? What data will you need for it? If it creates data, where will it go?

I think it was Dijkstra who said "all programs produce output, most also use input".


----------



## gomster (Mar 14, 2021)

SirDice said:


> Interfaces are set to 'down' by default. As long as you don't configure them they're effectively disabled. But this isn't going to stop anyone from sticking a cable in it and running ifconfig(8) or dhclient(8) though.
> 
> Should be disabled by default. You can always check what the default settings are by looking at /etc/defaults/rc.conf. And it's not going to hurt if you explicitly disable it in /etc/rc.conf. But again, it's not going to stop anyone from logging in and just starting these services by hand.
> 
> ...


Thanks for explaining. The machine will be used by me only and the disk will be encrypted and I wont enable them although I get your point. If i went for the custom kernel solution, I'm guessing that i would have to customize the kernel myself? A custom kernel has been something that I've wanted to do for quite some time now, even back on linux. Where should i start? Are there any guidelines/tutorials in the handbook or other documentation?


----------



## gomster (Mar 14, 2021)

mark_j said:


> You could but then you break all internal networking. Unless that is the goal as well?


Did you mean services? My intention is not to break anything, I just intend to disable communications with the outside- internet, bluetooth...


----------



## gomster (Mar 14, 2021)

ralphbsz said:


> What do you intend to do with the machine? What data will you need for it? If it creates data, where will it go?
> 
> I think it was Dijkstra who said "all programs produce output, most also use input".


I intend to keep and edit some data. You make a good point, but the data created will probably just stay on the machine as i dont need to send it anywhere. I just need to view it and perhaps edit it, which in my case will not require anything else than vim and maybe a couple other simple programs.


----------



## a6h (Mar 14, 2021)

It depends on how you define _air gap_. To me: post-installation AND pre-reboot (_first time_) [*], I put these in

/etc/rc.conf

```
firewall_enable="YES"
firewall_type="closed"
```

[*] Footnote:
i.e. last stage: *Manual Configuration*
_The installation is now finished. Before exiting the installer, ..._

Press *[YES]* to exit to a shell within the new system.


----------



## SirDice (Mar 14, 2021)

gomster said:


> I'm guessing that i would have to customize the kernel myself? A custom kernel has been something that I've wanted to do for quite some time now, even back on linux. Where should i start? Are there any guidelines/tutorials in the handbook or other documentation?


Start here: Chapter 8. Configuring the FreeBSD Kernel

It can look a little daunting at first but you'll get the hang of it. Once you know how it works it's actually quite easy. One downside you're going to run into is that there's no good 'dependency' tracking of the configuration, so if you removed something and another module depends on it you're only going to find out half way through the build. It's not going to warn you before you start the actual build. All devices should have man pages, in those you can lookup if a device depends on others.


----------



## Phishfry (Mar 14, 2021)

Make sure you do NOT edit GENERIC. Make your own config like the handbook shows.
I will substitute the MYKERNEL name used in the handbook with NONET.
I find it useful to make your new kernel with some readily apparent name in regards to the modification I made.

```
# cd /usr/src/sys/amd64/conf
# cp GENERIC NONET
```
This will copy GENERIC file to new file NONET

Now you have a GENERIC kernconf unaltered and you will have a custom kernel config NONET.
In case you mess up bad you can still boot up off GENERIC kernel from the loader prompt..

Now edit your NONET config to drop INET/INET6 and make sure you change the 'ident' line to NONET (From original setting of GENERIC)
I will use FreeBSD easy editor named `ee`. It is FreeBSD's simple editor like Nano. If you feel more at home with `vi` then use it instead.
`ee /usr/src/sys/amd64/conf/NONET`

Add a pound sign in front of these entries like so to comment them out and add your custom kernconf.

```
#ident       GENERIC
ident        NONET
#options    INET            # InterNETworking
#options    INET6            # IPv6 communications protocols
```

Now follow the handbooks compiling instructions.

```
cd /usr/src
make buildkernel KERNCONF=NONET
make installkernel KERNCONF=NONET
```

There is a chance things could break with this. You will need to test.
My opinion is that instead of removing all network interfaces and every net service just cut right to the top.
INET. It is the top level service for networking.
You may have to change your kernconf until you get it right. That is what a custom kernel is about.


----------



## Phishfry (Mar 14, 2021)

In case it goes wrong, and you can't boot, the troubleshooting page has some info.
I changed this slightly. Saving the GENERIC kernel right before the changes to allow rollback or a maintenance mode with ethernet connection.

ADDENDUM:

```
cp -vipr /boot/kernel /boot/kernel.generic
cd /usr/src
make buildkernel KERNCONF=NONET
make installkernel KERNCONF=NONET
```
Reboot and test your new kernel.

This will backup your GENERIC kernel. The GENERIC kernel now consists of everything in the /boot/kernel.generic directory.

So to call it up by the loader prompt at the Beastie Menu press #3 'Escape to loader prompt' and type this command.

OK `boot kernel.generic` <Hit Enter Key to Boot>

This will boot GENERIC kernel while NONET is set as default.


----------



## mark_j (Mar 14, 2021)

gomster said:


> Did you mean services? My intention is not to break anything, I just intend to disable communications with the outside- internet, bluetooth...


Sort of. I was responding to Phishfry. If you disable/remove INET/INET6 from kernel config and make a new system you will indeed have no networking but any localhost/local loopback stuff will fail.


----------



## Phishfry (Mar 14, 2021)

Well I guess you could just comment out all the network adapters. That would save the loop adapter.

So comment out all adapters under these categories:
# PCI Ethernet NICs.
# PCI Ethernet NICs that use the common MII bus controller code.
# Wireless NIC cards

I really don't think you need to axe USB if all wifi drivers are excluded. Firewire is lost art.

To remove bluetooth fully you need to recompile&install world with bluetooth excluded.
/etc/make.conf
WITHOUT_BLUETOOTH=


----------



## Mjölnir (Mar 14, 2021)

`egrep -nw '(io|INET)' /usr/src/sys/amd64/conf/*`

```
/usr/src/sys/amd64/conf/DEFAULTS:13:device              io              # I/O device
/usr/src/sys/amd64/conf/GENERIC:31:options      INET                    # InterNETworking
/usr/src/sys/amd64/conf/MINIMAL:44:options      INET                    # InterNETworking
```
Also note that IIRC e.g. HDMI can not only be used for video & audio, but networking, too.  So removing all network drivers & disabling kernel module loading via securelevel(7) would be the only option.  2nd note that you can't disable the ME, which has access to all devices by definition...

Then after you cut off any external communication interfaces off that system, install an AI onto that box, and let it ponder about it's means of existence & usefulness...


----------



## zirias@ (Mar 14, 2021)

Just a remark: copying and editing `GENERIC` is NOT recommended. Chances are your configuration will be broken with the next release. Instead, create a new config and add `include GENERIC` and `ident NONET` (to keep the example above).

Things can be disabled with `nodevice` and `nooptions`, overriding what is written in `GENERIC`.


----------



## Mjölnir (Mar 15, 2021)

You'll also have to delete /boot/kernel.old, ppp(8), cu(1), and all means of PLIP & SLIP (see ifconfig(8)).  This seems to be a really strange, maybe weird, freaky & quirky project?  You'll have your reasons.  Consult military grade security experts?  If someone really wants to, they could read your keystrokes by sniffing the radio waves resulting from the data sent across the wire of your keyboard, or the wire to your screen...  That box had to be placed inside a Faraday's cage... etc.pp.


----------



## ralphbsz (Mar 15, 2021)

Personally, I find the idea of kernel reconfiguration to be very overkill. I would use a server motherboard; those don't have WiFi or Bluetooth. And then simply not plug any ethernet cable in. To me, that seems much reliable: A human using the Mark I eyeball can verify that there is no connectivity, by looking at the empty ethernet connector. And make sure to never plug anything into the USB socket that could be used to communicate ... whether it's a a storage device or ethernet dongle. This seems more reliable than using a software solution, which can be easily defeated, and that is harder to verify.

Anecdote: I used to work in places that are quite security conscious. In those places, you are only allowed to connect things to the network whose Mac address has been registered with the network security people, and that are running officially approved OS versions. So the database might have said "Ethernet port room 123-A is connected to mac address 01:23:45:67:89:01, runs RHEL Linux version 13 with kernel 3.14159, and gets IP address 9.1.2.3". And the network security people ran scanners, so connecting a machine to the wrong wall outlet, or running the wrong OS version, would get your machine disabled and your phone would ring.

The problem is that we had a few machines that couldn't run the approved kernel versions, because we used them for kernel debugging (we were developing kernel code after all). To make the network security auditors happy, I prepared bright orange stickers, which we glued over the ethernet ports, and that said "DO NOT CONNECT TO NETWORK! Running experimental kernel version, for debugging only". The security auditors were very happy how security-conscious our group was, and they liked the day-glo orange color: easy to see that we are complying with the rules. Obviously, we didn't: whenever the auditor weren't around, we connected our test machines to the network (forging plausible OS versions). That's because I had gone to the office supply store, and carefully selected stickers with very weak glue, which can be peeled off and put back on.


----------



## Deleted member 30996 (Mar 15, 2021)

ralphbsz said:


> The security auditors were very happy how security-conscious our group was, and they liked the day-glo orange color: easy to see that we are complying with the rules. Obviously, we didn't: whenever the auditor weren't around, we connected our test machines to the network (forging plausible OS versions). That's because I had gone to the office supply store, and carefully selected stickers with very weak glue, which can be peeled off and put back on.


ralphbzd! I am surprised at you ! Pleasantly. 

I have 7 laptops running FreeBSD, 1 Win10Pro for gaming and one Kali Linux for educational purposes. I disable all wi-fi and Bluetooth, place blue painters tape over my camera lens, always `dd` a new USB stick before using it and never insert one I didn't buy into my machines.

I run an Ethernet LAN into a router that will only allow a MAC address I've set it to recognize or there is no Internet access allowed. Every so often I unplug the power cord from my cable modem so it will reset my IP# when I power it back up..

When I `su` to become root I might even unplug the cable before doing to. Having all laptops it's within hand movement and easy to do so.

We have a wi-fi hotspot in our building I can't access from my apartment. I have my own computers and Internet access so beyond having an occasional wi-fi look-see with Kali while not connected to my LAN the rest doesn't interest me.


----------



## Mjölnir (Mar 15, 2021)

P.S.: gomster you should seriously consider to run HardenedBSD instead of the vanilla _free BeaSD_.


----------

