Now you have your clean, freshly installed system. Or at least you should! This is a continuation of the article I wrote previously on installing OpenBSD. This particular article will cover the system settings that you need to get setup so that you can use your awesome new OpenBSD box as an extremely powerful firewall. So the question is, where do you go from here?
This is actually going to be just a series of commands and a few file creations. Hopefully you set yourself up an account that is not root in the install process. If you haven’t, that is the first thing that I recommend you do. Type adduser and follow the instructions. Now there are a few quick things that you need to take care of so that you can use the sudo command as intended. Login as yourself, then switch temporarily to root using this command:
su root
and the providing the root password. Now edit the file /etc/groups like this:
vi /etc/groups
Add your user name to the wheel group, so if your username is bob the first line of your groups file should look like this:
wheel:*:0:root,bob
Save changes and exit. Now exit out of your root shell with exit and then out of your user shell with exit. Log back in, and run a test by typing:
sudo ifconfig
If everything was done correctly you can provide your password and perform the root action. You can, of course, perform all these steps as root, but I don’t condone it! So let’s get started. First we need to collect some network information. Type:
ifconfig
This will display all the networking interfaces that you have available. You don’t need lo. You want the names of the other network devices, which correspond to your actual physical network cards. I will call mine vr0 and vr1. Make a mental note of your interfaces so that you don’t get confused. Remember, it is highly unlikely that your network cards will be named the same as mine. Yours may be something like ath0. So let’s set these up:
sudo echo 'up' >> /etc/hostname.vr0 sudo echo 'up' >> /etc/hostname.vr1
This tells the computer to bring your network interfaces up at startup. Now you need to create a bridge.
sudo ifconfig bridge0 create add vr0 add vr1 up
This will create and start a bridge for you. To make it permanent you need to create a file named hostname.bridge0 in /etc/ with this command:
sudo vim /etc/hostname.bridge0
and the file should contain the following lines:
add vr0 add vr1 up
Just those three lines (looks similar to the command we issued earlier, doesn’t it?). Your bridge is now configured! We still have a few shenanigans to cover before we are protecting ourselves with the firewall, though, and that is to turn on pf. Pf, or the packet filter, is what makes OpenBSD such a great firewall. To enable we need to add a line to our local rc file. Edit it with this command
sudo vi /etc/rc.local
and add a line to the end of the file that reads like this:
pf=YES #enable pf
Everything else we need to do we will have to do from the pf file itself. You can test the connection to see if you are properly bridging by putting the ethernet cord from your internet into one port of the firewall, and have another cord from the other firewall port going to a switch. Anything that is hooked up to that switch should still be able to communicate across the network. It should get an IP address just as it normally does.
Things to check if it doesn’t work.
Your system may not work at first. There are a few things that you can check if it doesn’t work the first time. One thing you can check is to make sure that one of your interfaces isn’t still in DHCP mode. In order to work in transparent mode neither of your interfaces that consist of the bridge can have IP addresses. Check your hostname.vr0 and hostname.vr1 files located in /etc. They should only contain one line up.
Another thing you can check is that IP forwarding is turned on. In rc.conf you should see a line that controls the IP forwarding. It should look like this:
ip_forwarding=YES #turn on IP forwarding
You can restart your interfaces by issuning the command sudo ifconfig vr0 down and then tell sudo ifconfig vr0 up. This should reset the interface. Do that every time you make changes to the interface. Also, you can try a restart sudo halt. The restart will put all your networking to the state that you specified in the files we created earlier. It may help if something really weird is going on.
The primary purpose of this is to get OpenBSD installed. Really, this is much more straightforward than it used to be. Our install will focus on getting a transparent firewall ready, and the decisions that we make will be with that in mind. I know that I said that the install process has been made easier, but it still is fairly complicated, especially if you are not used to it. I will walk you though all the responses that you need. To build and OpenBSD transparent firewall you will need the following.
- Internet Access - to read this guide!
- A computer to dedicate to it
- At least 2 ethernet interfaces, 3 preferred.
- CD Burner and blank CD
First you need to get OpenBSD. In all likelihood you will want the i386 flavor of the latest version, which at the time of writing is 4.7. Download the install47.iso and burn it to your CD. Excellent, you now have the media you need.
Read moreSince my work and interests have led me in the direction of OpenBSD recently, I decided to do a brief series on getting OpenBSD running as a home firewall for yourself. Why OpenBSD? Simple: it is secure by default, has some great options that are matched only by some very expensive enterprise firewall appliances, and can almost certainly run on that 2 generation old computer that you have been planning to do something with, but is actually just gathering dust somewhere. This will be an update and expansion on some previous OpenBSD articles that I have written. The old articles were written circa OpenBSD 4.4, and with 4.7 out now and 4.8 looming in the near future, I have decided to go over and update my notes.
There have been a few important changes in the way OpenBSD works with transparent firewalls, and by and large I think those changes are for the better, they just need some clear documentation. As an improvement over my last articles on OpenBSD firewalls, I am going to break it into a series of more manageable chunks, rather than one massive post. I think that that will make it more simple to find just that one thing that you remember you read, but can’t quite remember the exact command. Something else to remember is this, clicking on the OpenBSD tag on the left will bring up a page with all my OpenBSD related posts, should you find yourself lost. This will be the order in which I publish.
- Installation: Should publish concurrently with this overview piece.
- Configuration: Some of the config files you will need to make it work.
- pf.conf: How to make you firewall sing, securely
These three areas will cover the basics of the firewall. I may add additional tips later.
I want to do a couple of series of articles. Should I do my series on OpenBSD firewalls or nmap scans first? Decisions decisions…
