Build Your Own Gateway Firewall

Learn how to build your own gateway firewall using FreeBSD® and old PC parts. The firewall will consist of the PF firewall, Snort IDS, various IPS applications, Squid proxy, and some intuitive web interfaces for auditing. The cost of this project should be between free and $200 depending on your resourcefulness. I built mine for free using spare parts that were stockpiled in personal storage and parts that the USMC was throwing away, but you can build one from used and/or new parts for dirt cheap.

NOTE:
This is a work in progress, and unfortunately, due to college and work, I don't have the time right now to cover every detail of this project. I'd love to collaborate with others to cover what we can. If you're interested contact me at j0hn7r0n at gmail dot com or catch me online at j0hn7r0n (AIM) or iiwishihadaname (Yahoo).






The FreeBSD Logo is a trademark of The FreeBSD Foundation and is used
by John Syrinek with the permission of The FreeBSD Foundation.

The mark FreeBSD is a registered trademark of The FreeBSD Foundation
and is used by John Syrinek with the permission of The FreeBSD Foundation.

• An old Pentium 3
• 256MB of PC100 RAM
• Two 100/10baseT(X) NICs (one on-board)
• 50GB IDE hard drive
• Generic IDE CD-ROM drive
• An old junker desktop ATX case
• 300W PSU
• Some Cat5/5e/6 ethernet cable

The hardest part about building a computer from scratch is finding the right parts. My suggestion would be to find a compatible motherboard and processor, then find the rest of your parts based on the capabilities of your motherboard.

Every computer must have the following parts:
» Processor (obviously)
» Motherboard
» RAM
» Physical drives - optical and/or hard)
» Input/output devices - NICs, keyboards, mice, monitors, etc.
» Case (although it's fun to leave this part out and mount the mobo on your wall)
» Cooling unit - Heatsink and/or fan (aka HSF), watercooling/phase-change cooling (not practical here, but fun regardless)

Processor
Often times, when building a computer, people put most of their money here. People are ingrained with the impression that a fast processor makes for a fast computer. This is not the case. A fast system relies equally on the speed of all the devices. A motherboard with a fast chipset and high front-side bus (FSB) is just as important as a fast processor. RAM is the other vital component in a fast system. For our system, the speed of all of these is a minor concern, as we are more concerned with the cost-effectiveness.
» AMD Athlon K7/K75/Thunderbird - Found in Slot A and Socket A.
» AMD Duron - Found in Socket A only.
» AMD Athlon XP - Found in Socket A.
» AMD Athlon MP - Found in Socket A.
» AMD Sempron - Found in Socket A and 754. These are just re-labelled Athlon XPs.
» AMD Athlon 64 - Socket 754 and 939. Come in dual-core also. I'm running an Athlon 64 3700 San Diego in my gaming rig, so you can see how these are MAJOR overkill.
» AMD Athlon 64 FX - Socket 939 and 940. Even more overkill than an Athlon 64. Although, I'd be happy to take an Athlon 64 FX-60 off of someone's hands :P
» AMD Opteron - Socket 940. Though geared towards server environments, this processor is about as much overkill as you can find (expensive too).
» Intel Celeron 500A to 2.8GHz Northwood - Found in Slot 1, Socket 370, 423, and 478 varieties.
» Intel Pentium III - Found in Slot 1 and Socket 370 varieties.
» Intel Celeron D - Found in Socket 478 and T.
» Intel Pentium 4 - Socket 423, 478, and T. Overkill
» Intel Xeon - Socket 603, and 604. Major overkill.
» Intel Itanium - Found in PAC611. Major overkill.

Motherboard
This is perhaps the hardest part to pick out, and also the most important. Due to the nearly inifinite variety, I will simply mention the most important features to consider.

» Socket/Slot - This is where your CPU will live. Make sure that your motherboard's socket is compatible with your processor. Often times a socket will be named after it's pincount. In most cases, if the processor and socket have the same pincount, they are compatible. Be careful though, this is not always the case. Be sure to double check.
» Drive interfaces - These are where your drives connect to your motherboard. Paralell ATA (aka ATA, PATA, IDE, EIDE) drives are still the most common, but are being phased out by the faster and more efficient Serial ATA (SATA). ATA comes in ATA66, ATA100, ATA133, and ATA166. SATA150 (aka SATA-I or just SATA) is often compatible with SATA300 (aka SATA-II or SATA with NCQ) motherboards. Another interface typically found in server environments is SCSI. These are being replaced by Serial-ATA due to cost.
» RAM slots - These are where your RAM goes. They are often referred to as DIMM slots. Sometimes you will see the pincount mentioned in the name or description. The slots that I'm familiar with support SDRAM (PC100, PC133), DDR SDRAM and DDR2 SDRAM (In varietes from PC1700 to PC8500), and RAMBUS (rare, pricey RAM that was ahead of it's time; only runs in pairs).
» Input/output interfaces - These are where add-on cards go. The most common are ISA (slowest and only found in industrial motherboards nowdays), PCI (slowest of all in common use, used for pretty much any kind of add-on card), AGP 1x/2x/4x/8x (common; almost always used by videocards; being phased out by PCI Express), PCI Express (fastest of all slots; typically used for videocards), PCI-X (not to be confused with PCI Express; can be (almost) as fast as PCI Express; comes in speeds such as 1x, 4x, 8x, etc.) Make sure that your NIC and video card each have a slot of their own (although it is possible to run this without a videocard).
» Form factor - This determines what kind of case you can use. Form factors include AT (obsolete), Enhanced/Extended ATX (big boards!), ATX (most common), Mini-ATX (small versions of ATX), Micro-ATX (even smaller), Mini-/Micro-/Pico-/Nano- ITX (tiny!). Any of these will work, but be careful of Mini-/Micro-/Nano-/Pico- ATX/ITX boards. Sometimes these have proprietary components that are not supported by FreeBSD drivers. I'd be happy to take an EPIA N Nano-ITX off of someone's hands also.
» Power interfaces - This is where your PSU connects to your motherboard. I'm familiar with 20-pin and 24-pin connectors, as well as Intel/AMD 4-pin headers. Make sure your PSU will plugin to your motherboard. If it doesn't, you can probably find conversion wires to make it fit for a few bucks at your local computer store.
» Backpanel - This is the collection of plugs located at the back of the motherboard. You will almost always find your keyboard, mouse, parallel, and serial connectors here. Many boards also have VGA/S-Video, LAN, USB, Firewire, and/or audio jacks here also.
» Fan headers - These are where your CPU and case fans plugin. Make sure you have enough to accomidate all of your fans. If you don't, you can either remove some fans (BUT NOT THE CPU FAN!), or find/purchase some 4-pin molex to 3-pin fan header conversion wires or 3-pin Y-splitters.

RAM
Pretty much any RAM will work as long as it's atleast as new as PC100 and is compatible with your motherboard. A decent capacity is but 128MB. Larger capacities will help speed up your compiling processes.

You can use memtest to test your RAM prior to installing FreeBSD. It may save you some headaches later.

Drives
ATA IDE drives are still the most common, but are being phased out by the faster and more efficient Serial ATA. ATA comes in ATA66, ATA100, ATA133, and ATA166. The numbers are associated with theoretical maximum transfer rates. Often times you will see a motherboard that says it supports ATA133. If the motherboard supports ATA133, it usually supports the slower ATA100 and ATA66 specifications. Make sure your motherboard supports an ATA standard greater-than or equal to the one used by your harddrive. Serial ATA has the same considerations. SATA150 (aka SATA-I or just SATA) is often compatible with SATA300 (aka SATA-II or SATA with NCQ) motherboards. Rarely are newer technologies backwards compatible with older ones, but ocasionally you'll find that a firmware update will allow this. If you plan on using SATA, you will most likely need a different power connector; although, Western Digital usually places both the legacy 4-pin molex power connector and the new Serial-ATA connector (DON'T USE BOTH SIMULTANEOUSLY!). If you need a Serial-ATA power connector, don't worry, there's conversion wires for those too.

Hard drive capacities greater than 1GB should be plenty. 100MB is the absolute minimum, but 250MB is recommended. Add 100MB to that if you plan on using a desktop environment.

If you are not using a relatively new (1 year or younger) hard drive, it is wise to perform a diagnostics test before installing your system. Because of their moving parts, hard drives are more prone to failure than the rest of your components.

Optical drives are what you'll use to install the operating system. Almost any drive will work for this as long as it is compatible with your motherboard. FreeBSD can be installed from CD ISOs or a single DVD ISO. It can also be installed from a USB drive (if it's large enough and your motherboard supports booting from USB) or the network. The later will not be covered here.

NIC
In our case, your NICs (Network Interface Cards) will be a vital component to the functionality of your PC. You will need two of these, one for the WAN side, and one for the LAN side. Often times you'll find one (or even two) NICs integrated into your motherboard. Just check the backpanel of the motherboard to find out. Your NICs will need to support atleast 10Mbps 10BaseT, but anything faster will work. This tutorial will only cover 10BaseT to 1000BaseTX NICs.

Monitor, keyboard, and mouse
You should be familiar with these already. We will only need a keyboard and monitor for the initial setup process. Afterwards, you can unplug these. Monitors come in VGA and DVI varieties (DVI being digital and newer). A TV can also be used if your motherboard and the TV both have S-Video connections and there is an S-Video driver for FreeBSD. Mice are either PS2 (no, not that one), USB, or the older ADB and RS232. Keyboards are the same. There are adapters to convert most of these to the correct plug.

PSU
If the CPU is the brains of your computer, the PSU is the heart. Make sure you have enough of the appropriate connections to power all of your devices. One of the most common problems with building computers is a weak/unstable PSU. You will experience random, unexplained problems if you skimp on the power supply. One of the most common signs of an underpowered computer is random shutdowns. If your computer turns off randomly, it is your hardware protecting itself from the lack of power. Depending on your hardware, you may need something as powerful as 300W. Then again, you may only need 100W. To give you an idea of how much is TOO much for this project, I use a 650W powersupply in my gaming rig; however, a more powerful PSU will not harm your system.

Case
Nothing special here. Make sure it supports your motherboard's form factor. Larger cases are easier to use because you have more room for wires and connectors. Tiny cases might have cooling problems if they are placed in areas with poor circulation. If your PSU doesn't fit in your case, you can modify the case to accomidate it. Be careful though! If you have to modify your PSU, take appropriate precautions. Unplug and discharge it first.

Cooling
Be sure you have both a heatsink and fan. If you don't have a fan, be sure you have a decent passive-heatsink, acceptable ambient air temperature, and adequate airflow in and around the case. This is another place to be careful. After the initial build, touch your processor from time to time to make sure that it's cooling. It should be warm, but not hot. If your arm jerks in reflex to touching it, it's too hot. Cooler running processors also last longer. Newer processors are more succeptible to thermal damage due to tighter tolerances and electron-migration. Older processors are more stable, and therefore popular in the overclocking community. Watercooling can bring your CPU temperatures close to ambient air temperature, but is overkill here. Phase-change cooling and TECs are MASSIVE overkill. They can drop your temperatures far below freezing where condensation becomes an issue. I wouldn't ming a TEC + Watercooling kit though :P

I think that about covers the hardware, but here are a few things to keep in mind:

» Larger RAM capacities speed up your compilation process. Nowdays 256MB of RAM is marginally more expensive (sometimes cheaper) than smaller capacities due to production, ROI, and storage costs.

» Your NIC should support atleast 10Mbps ethernet (aka 10BaseT). Because most people don't have internet connections higher than 10Mbps, the slower speed is acceptable here. If you can, try to make sure your NIC supports full-duplex to avoid collisions. Full duplex is denoted by an "X" on the end of the media type (eg. 10BaseTX). 100Mbps ethernet (100BaseT) is much more common than 10BaseT(X) and perfectly acceptable, although it is unlikely that you will see any performance gain from using it.

» Your hard drive and optical drive should most likely be ATA IDE drives. You will often see drives labeled ATA100 or ATA133. These work fine. On newer drives and controllers you will see the label Serial-ATA or SATA. These will work if your motherboard has the appropriate (SATA150 or SATAII/300) headers. SATA is major overkill for a simple gateway/firewall because it will VERY rarely be used. In fact, it would be possible to build this project without a harddrive altogether.

» Your PSU (Power Supply Unit) should be able to supply enough STABLE power to all of your devices simultaneously. A 300W PSU is more than enough for the minimal PC that we'll be building.

» If you plan on placing this gateway firewall in a small location, make sure the case is small enough. Because you will not need a monitor, keyboard, or mouse after the initial installation process, it is possible to store the firewall virtually anywhere! I have mine in my closet. Make sure you nave enough ethernet cable also.

Physically building a computer from scratch is much easier than most people think. Due to that large variety of physical connectors, it's pretty hard to damage hardware by placing it in an incorrect slot. If you have to force something into a slot, you're doing something wrong; otherwise, don't worry about frying the component. This hardware is cheap, and it's a good learning experience. Wouldn't you rather make mistakes now than when you build a multi-thousand dollar gaming rig?

Below are some pictures we took when my brother and I were building our NAS. I'll add comments to each step when I find the time, but, for now, here's the overview (in order):

» Clean everything off. Use compressed air to remove the dust from electrical components. A paintbrush can be used to remove dust from the fans. Do NOT use the paintbrush on electrical components! This may create static and damage your parts.
» Mount the motherboard in the case. It's best to do this now, because you might not be able to later.
» Mount the PSU. Again, do this now, because you may not be able to once you install the CPU, HSF, and drives. Do NOT plug the PSU into the motherboard, and make sure that the PSU is powered off and unplugged.
» Place the CPU in the retention mechanism. Be sure to properly ground yourself first by plugging in your PSU and touching the case as you unplug your PSU. Anti-static wristbands work even better. Do not force the CPU into the socket. Make sure you insert the CPU in the correct orientation. Use the pins and socket as reference. It should either slide in with a little pressure (Slot CPUs) or drop right in (Socket CPUs). After it is in place, be sure to fasten any latches or switches that hold the CPU in place.
» Grease the CPU. Thermal compound is used to fill the microscopic air pockets between your CPU and HSF with a thermally-conductive material. If your CPU has a heatspreader (extra metal around the core to provide strength), apply a dime-sized amount of thermal compound to the center of the heatspreader. If the CPU does NOT have a heatspreader, apply a small dab of thermal compound. Spread the compound around using a piece of stiff paper (a business card works great). If you get a little compound somewhere other than the top of the CPU, a little isopropyl alchol (rubbing alcohol, not booze) and some Q-tips will help to remove it. When you're finished, you should have a very thin layer of thermal compound covering the entire surface of the CPU.
» Install the HSF. This is often the most nerve-racking part. Sometimes it takes some force to secure the HSF retention mechanism. First, examine the retention mechanism to learn how it works. This will give you an idea of how to properly secure it, and ways that you may damage it. Next, take your time and carefully apply the appropriate force to secure the HSF. If you see your motherboard flex, or you're using enough force to move your case, you're probably doing something wrong. After you have the heatsink on, install the fan. Also, BE SURE YOU PLUG THE CPU FAN IN.
» Install the ram. Look at the DIMM slots on your motherboard and make sure that you are inserting the RAM correctly. There should be a ridge in the slot itself, and a notch in your RAM to help you determine the correct orientation of the RAM. You will also need to open the clips on the ends of the DIMM slots to allow insertion of the RAM. Now, carefully apply an even downward force to the RAM until you hear a click. This is the sound of the side fasteners locking the RAM modules into place.
» Install the drives. Because of their size, the drives should be installed next. Place the drives in their appropriate locations, and connect the power and data cables. Your harddrive should be connected to your primary IDE channel (labelled something like IDE_0 or Primary or 1). Your optical drive can share the same ribbon as your hard drive; however, if you plan on removing it, it's better to connect it to the secondary IDE channel for easy removal. You may notice an extra plug on the back of your optical drive. This is for digital audio. It's safe to ignore this.
» Install the I/O devices. Use a steady downward force to secure the PCI, AGP, and/or ISA cards in their appropriate slots. Be careful not to flex the cards while you're installing them. Sometimes the VGA slot has a little pin to better secure the video card. Should you ever remove the video card, you will need to release this pin first.
» Install any case fans. Consider the environment where the firewall will be placed, and provide enough fans to maintain adequate cooling. Larger fans are more quiet and move less air. If you're placing your firewall in an air-conditioned environment, and you have a decent sized case, one fan or no fans should provide enough cooling.
» Connect the power, reset, HD activity LED, Motherboard status LED, and system speaker. On most motherboards, the connections for all of these can be found in two rows of pins somewhere on the motherboard. Please refer to any documentation you can find to attach your power switch and indicators to the correct location. One trick to help locate the power-on or reset pins if you are POSITIVE that you have found the correct set of headers is to use a screwdriver to temporarily short jumpers until the computer turns on. You will have to do this after you connect the PSU to the motherboard (obviously).
» Connect the PSU to the motherboard. Connect the 20- or 24-pin connector to the motherboard. You may find an extra 4-pin connector on the motherboard also. This is to provide additional power to the motherboard. Often times it is unnecessary to connect this, because we will not be drawing enough power to connect it. Try powering on the motherboard without it, and if that fails, plug it in and try again.
» Power on and pray. This is the moment of truth. Did you install your RAM correctly? Is your CPU fan plugged in? If you hear more than a single short beep from your system speaker (you plugged that in right?), then something is probably wrong. Power off immediately and check your documentation to confirm that you've done everything. The beeps that you heard (error codes) can be used to help diagnose the problem.

Due to time constraints, I only have time to cover the required software and a brief overview of the installation process.

Obtaining the OS
Grab the CD ISOs or purchase the actual CDs or DVD from www.freebsd.org You can use either FreeBSD 5.4 or 6.0, either one works. Be sure you download the correct image for your architecture (only x86 is covered here). When in doubt, just grab the x86 and try it. I've never tried the AMD64 version of FreeBSD. The libraries were a pain to maintain with the AMD64 version of FC2 though. If you've used this architecture build, let me know how it works. If you have a 64-bit AMD processor, it is backwards compatible with the x86 architecture, so you have something to fallback to if you want to have an adventure in 64-bit computing.

Preparing the installation media
If you've downloaded the ISOs, burn them to CDs. Make sure your BIOS is set to use the CD/DVD drive as your primare boot device

The OS Installation Process
Follow FreeBSD's installation procedures. The default partition settings work fine for our purpose, but if you don't plan on rotating your logs regularly, you might want to increase the size of the /var partition.

As far as the ports collection is concerned, there are two methods to consider. If you don't want to bother with manually installing only what you need, install the entire ports collection; otherwise, perform a minimal install
» Update your ports collection. THIS IS IMPORTANT. If you do this PRIOR to building and installing any software, you'll save time later by not having to upgrade.
» Make sure all of your hardware is recognized. You may want to install the nVidia or ATI drivers if you're going to be using a desktop environment like KDE or Gnome
» Configure your ethernet interfaces
» Reboot and make sure that everything works and that you have internet access (by using lynx to view a website, or a simple ping connectivity test)

Again, any collaboration would be appreciated. See the intro for contact details.

172.16.0.0/16 (172.16.0.1 to 172.16.255.254) Will be the internal network.172.16.3.200 Will be the firewall's internal IP address.172.16.4.0/24 (172.16.4.1 to 172.16.4.254) will be assigned to a DHCP range.

# ifconfig -a

# adduser

sshd_enable="YES"

ListenAddress 172.16.3.200

# /etc/rc.d/sshd start

ipfilter_enable="YES"ipfilter_program="/sbin/ipf"ipfilter_rules="/etc/ipf.conf"ipfilter_flags=""

# First, deny everything unless specified.block in on xl0 # Our internal interfaceblock out on xl0block in on dc0 # Our external interfaceblock out on dc0# Allow our internal network to come into the internal interfacepass in on xl0 from 172.16.0.0/16 to any# Allow our internal interface to talk to the internal networkpass out on xl0 from 172.16.3.200 to any# Allow tcp or udp from our external interface outwards to anywhere, keeping# a "state table" of connections and assembling fragmented packetspass out on dc0 proto tcp/udp from any to any keep state keep frags# Allow "ping" and its friends out from the external interfacepass out on dc0 proto icmp from any to any## Services## We're going to be running a web server, so we need port 80pass in on dc0 proto tcp from any to any port = 80 flags S keep frags keep statepass in on dc0 proto tcp from any to any port = 443 flags S keep frags keep state# Likewise sendmail, eventually. Leave it commented for now, though.# pass in on dc0 proto tcp from any to any port = smtp flags S keep frags keep state# pass in on dc0 proto tcp from any to any port = smtps flags S keep frags keep state

# /etc/rc.d/ipf start

# ipf -Fa -f /etc/ipf.conf

# ipf -Fa

# ipfstat -i

# ipfstat -o

gateway_enable="YES"ipnat_enable="YES"ipnat_program="/sbin/ipnat"ipnat_rules="/etc/ipnat.rules"ipnat_flags=""

map dc0 172.16.0.0/16 -> dc0/32 portmap tcp/udp automap dc0 172.16.0.0/16 -> dc0/32 proxy port ftp ftp/tcp

# /etc/rc.d/routing start# /etc/rc.d/ipnat start

# cd /usr/ports/net/isc-dhcp3-server# make

# make install# cd /usr/local/etc# mv dhcpd.conf.sample dhcpd.conf

ddns-update-style none;log-facility local7;shared-network Dynamic-4-subnet {option routers 172.16.3.200;option domain-name-servers nnn.nnn.nnn.nnn;subnet 172.16.0.0 netmask 255.255.0.0 {range 172.16.4.1 172.16.4.100;}

dhcpd_enable="YES"

# /usr/local/etc/rc.d/isc-dhcpd.sh start

#ALTQ OPTIONSoptions         ALTQoptions         ALTQ_CBQ        # CLASS BASES QUEINGoptions         ALTQ_RED        # RANDOM EARLY DETECTIONoptions         ALTQ_RIO        # RED IN/OUToptions         ALTQ_HFSC       # HIERARCHIAL PACKET SCHEDULERoptions         ALTQ_PRIQ       # PRIORITY QUEUINGoptions         ALTQ_NOPCC      # REQUIRED FOR SMP BUILD

# cd /usr/src

# make buildkernel KERNCONF=FIREWALLKERNEL

# make installkernel KERNCONF=FIREWALLKERNEL

altq on $int_if priq bandwidth 100% queue {std, ssh, bt, http, p2p}altq on $ext_if priq bandwidth 5Mb queue {std, ssh, bt, http, p2p}queue ssh       priority 1      priqqueue http      priority 2      priqqueue std       priority 10     priq (default)queue p2p       priority 13     priq (red, ecn)queue bt        priority 15     priq (red, ecn)

You are not limitted to these utilities. FreeBSD has a vast collection of battle-proven security packages. Have a look at www.freebsd.org/ports/security.html for the list.

UPS's
If you experience frequent power surges, power outages, or even if you don't a UPS (Uninteruptable Power Supply) can save you many headaches. FreeBSD doesn't like being shutdown instantaneously. Often times, this leads to corrupted data. While most of the time (in my experience atleast) this can be fixed by running `fsck` in single-user mode with your disks unmounted, a UPS will eliminate this problem alltogether. Unless your power goes out for a prolonged amount of time, a UPS will provide reliable power to your firewall to keep it running smoothly. There are two different types of UPS's: offline (or standby) and online. Offline UPS's provide power from the outlet until they sense a power outtage, in which case they switch over to battery power. Online powersupplies have a zero switchover time (the amount of time it takes between loss of mains power and when stable power is supplied by the UPS) because they use inverters. Online UPS's are a little more expensive than offline UPS's, but more reliable. Offline UPS's will work fine though, so long as they have a low switchover time.

Bastion hosts and bastard systems
Keep in mind that the less software that you install, the more inherent security your firewall will enjoy. More software means more places for hackers to find vulnerabilities. By installing JUST a firewall, we would have a bastion host. Because it is more cost-effective to combine the firewall with the IDS, IPS, and auditing software, we are not creating a true bastion host -- more like a bastardized version of one.

Who's knocking down the door?
Don't be suprised to see attacks within minutes of placing the firewall on the internet. This does not mean that someone is intentionally trying to hack into your network. There are literally THOUSANDS of zombie computers out there that mindlessly probe the internet looking for a system to call their own, or worse, destroy. Aren't you glad you have a firewall?

My record for intrusion attempts after placing a firewall online is 3 minutes. In my experience, the most disturbing attempts are SSH bruteforces. A zombie computer portscanned you and found that you're running the SSH service (should you decide to allow WAN access). If someone were to gain access through SSH, the effects could be devastating. This is why your most important security measures should be placed here. If you're not using RSA/DSA pre-shared keys (why aren't you?), then at the very least, make sure your login password is extra-long, and contains an overzealouz combination of letters, numbers, AND symbols. Perhaps the dumbest thing you can do is allow root access to SSH. This would be like spamming the planet with your social security number. If need be, you can login as a normal user, then `su` your way to root.

Do I have a false sense of security?
If you don't trust your firewall, you can perform a quick and easy portscan on yourself by pointing a browser protected by your firewall to www.grc.com There you should find ShieldsUp!, a popular (and basic) security assessment tool. If you listen to the Security Now podcast with Leo Laport, you may have heard ShieldsUp! mentioned.

The best form of security auditing is by using a tool like Nessus. Nessus can be used to perform a MASSIVE assortment of security probes. You'll find Nessus in your ports collection, and at www.nessus.org

RTFM
The FreeBSD Handbook is the single-most important resource when working with FreeBSD. Just point your browser to www.freebsd.org/docs.html and click on "Handbook". Google is also another valuable resource. The best (and most enjoyable IMO) way to learn how to use FreeBSD, or any flavor of Linux or Unix, is by doing the research yourself and diving right in. You'll screw your system up, curse everyone and their mother, and possibly become an alcoholic because of it, but you'll be that much more elite once you figure it out. As a last resort, try some the IRC channels on Dalnet or Freenode. When resorting to chatrooms, be expecting insulting comments and a few "RTFM"s.

Other uses
I also build a NAS (Network Accessible/attached Storage) device using a more modern AMD K8, 512MB of PC3200 DDR-RAM, and a few gigabit ethernet NICs. This system is more than enough to provide reliable streaming media, file serving capabilities, and SVN repositories to anyone with wired, wireless, or VPN access to our LAN. We've even setup dynamic DNS services to provide internet access to our media through a custom web interface. Eventually, we will release the MyNAS project to provide a user-friendly interface to the NAS and an out-of-the-box file-sharing community.