Now you have your clean, freshly installed system. Or at least you should! This is a continuation of the article I wrote previously on installing OpenBSD. This particular article will cover the system settings that you need to get setup so that you can use your awesome new OpenBSD box as an extremely powerful firewall. So the question is, where do you go from here?
This is actually going to be just a series of commands and a few file creations. Hopefully you set yourself up an account that is not root in the install process. If you haven’t, that is the first thing that I recommend you do. Type adduser and follow the instructions. Now there are a few quick things that you need to take care of so that you can use the sudo command as intended. Login as yourself, then switch temporarily to root using this command:
su root
and the providing the root password. Now edit the file /etc/groups like this:
vi /etc/groups
Add your user name to the wheel group, so if your username is bob the first line of your groups file should look like this:
wheel:*:0:root,bob
Save changes and exit. Now exit out of your root shell with exit and then out of your user shell with exit. Log back in, and run a test by typing:
sudo ifconfig
If everything was done correctly you can provide your password and perform the root action. You can, of course, perform all these steps as root, but I don’t condone it! So let’s get started. First we need to collect some network information. Type:
ifconfig
This will display all the networking interfaces that you have available. You don’t need lo. You want the names of the other network devices, which correspond to your actual physical network cards. I will call mine vr0 and vr1. Make a mental note of your interfaces so that you don’t get confused. Remember, it is highly unlikely that your network cards will be named the same as mine. Yours may be something like ath0. So let’s set these up:
sudo echo 'up' >> /etc/hostname.vr0 sudo echo 'up' >> /etc/hostname.vr1
This tells the computer to bring your network interfaces up at startup. Now you need to create a bridge.
sudo ifconfig bridge0 create add vr0 add vr1 up
This will create and start a bridge for you. To make it permanent you need to create a file named hostname.bridge0 in /etc/ with this command:
sudo vim /etc/hostname.bridge0
and the file should contain the following lines:
add vr0 add vr1 up
Just those three lines (looks similar to the command we issued earlier, doesn’t it?). Your bridge is now configured! We still have a few shenanigans to cover before we are protecting ourselves with the firewall, though, and that is to turn on pf. Pf, or the packet filter, is what makes OpenBSD such a great firewall. To enable we need to add a line to our local rc file. Edit it with this command
sudo vi /etc/rc.local
and add a line to the end of the file that reads like this:
pf=YES #enable pf
Everything else we need to do we will have to do from the pf file itself. You can test the connection to see if you are properly bridging by putting the ethernet cord from your internet into one port of the firewall, and have another cord from the other firewall port going to a switch. Anything that is hooked up to that switch should still be able to communicate across the network. It should get an IP address just as it normally does.
Things to check if it doesn’t work.
Your system may not work at first. There are a few things that you can check if it doesn’t work the first time. One thing you can check is to make sure that one of your interfaces isn’t still in DHCP mode. In order to work in transparent mode neither of your interfaces that consist of the bridge can have IP addresses. Check your hostname.vr0 and hostname.vr1 files located in /etc. They should only contain one line up.
Another thing you can check is that IP forwarding is turned on. In rc.conf you should see a line that controls the IP forwarding. It should look like this:
ip_forwarding=YES #turn on IP forwarding
You can restart your interfaces by issuning the command sudo ifconfig vr0 down and then tell sudo ifconfig vr0 up. This should reset the interface. Do that every time you make changes to the interface. Also, you can try a restart sudo halt. The restart will put all your networking to the state that you specified in the files we created earlier. It may help if something really weird is going on.
