From 3e4004b80954756592005e540d5958d98acc9c25 Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Tue, 5 Jun 2018 21:12:54 +0200 Subject: updated README.md --- README.md | 154 +++++++++++++++++++++++++++++--------------------------------- 1 file changed, 71 insertions(+), 83 deletions(-) diff --git a/README.md b/README.md index 74046be..a03ec00 100644 --- a/README.md +++ b/README.md @@ -1,44 +1,45 @@ -# OpenBSD firewall via scripts ++++ +title = "OpenBSD-Firewall" +description = "OpenBSD firewall via scripts" ++++ ## History -Earlier versions of this project were used at Eurospider by -Mihai Barbos (https://github.com/mbarbos) to build -corporate-style firewalls with Portwell hardware. +Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) +to build corporate-style firewalls with Portwell hardware. Newer versions run on Soekris hardware now. -I (https://github.com/andreasbaumann/) merely collected -the ideas and updated them to new versions of OpenBSD -and cleaned up the repository a little bit. :-) +I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-) And I'm using it at home. +## Github + +The old unsupported version can still be found on https://github.com/Eurospider/OpenBSD-firewall. + +Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git +or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/. + ## Install Check disk geometry of flash with: -``` -disklabel wd0 -``` + disklabel wd0 + +Adapt disk geometry in hardware/[machine]/flash_params. -Adapt disk geometry in `hardware/[machine]/flash_params`. +Run 'build.sh [machine] [flash_profile]', e.g. -``` -Run 'build.sh [machine] [flash_profile]'. -``` + build.sh firewall-test firewall-test Transfer image to flash: -``` -dd if=[machine].img of=/dev/wd0c -``` + dd if=[machine].img of=/dev/wd0c or remotely (after booting from floppy dongle or from hard disk): -``` -dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c" -``` + dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c" ## Directory layout @@ -50,28 +51,40 @@ dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c" ## News +06.05.2018: + + The firewall at Eurospider has not been updated in years and I'm fed up with + Github and the world in general, so I moved the repo and abandoned the old + development area on Github. + 15.04.2018: -- updated to OpenBSD 6.3 + + updated to OpenBSD 6.3 19.10.2017: -- updated to OpenBSD 6.2 + + updated to OpenBSD 6.2 14.4.2017: -- updated to OpenBSD 6.1 + + updated to OpenBSD 6.1 18.9.2016: -- updated to OpenBSD 6.0 + + updated to OpenBSD 6.0 15.7.2016: -- updated to OpenBSD 5.9 + + updated to OpenBSD 5.9 17.1.2016: -- updated to OpenBSD 5.8 -- example shows how to use two nsd's and one unbound to replace a split horizon - configuration formerly done with bind views + + updated to OpenBSD 5.8 + example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views ## Roadmap +- update to new versions of OpenBSD as they come along - improve update process, preferably an in-situ update via TFTP - deal with logging - sensord @@ -79,31 +92,22 @@ dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c" - various playgrounds - ospf, pfsync, carp - automatic acme and relayd certificate renewal for HTTPS relaying - + ## Other Embedded OpenBSD projects -possible small OpenBSD makers (low level): +Possible small OpenBSD makers (low level): -- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, - looks like OpenBSD 3.x was the last version tested +- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested - Flashboot: http://www.mindrot.org/projects/flashboot/ - Flashrd/Flashdist: - http://www.nmedia.net/flashrd/rlsnotes.html - https://github.com/yellowman/flashrd/ - - http://www.nmedia.net/~chris/soekris/: original page which has gone, - flashdist is the older version of flashrd. The EIT - firewalls where based on early scripts of Chris Cappuccio - (early flashdist) + - http://www.nmedia.net/~chris/soekris/: original page which has gone, flashdist is the older version of flashrd. The EIT firewalls where based on early scripts of Chris Cappuccio (early flashdist) - Bowlfish: - - http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 - seems a little bit old (11.4.2013). The description about Embedded - OpenBSD is very worthy to read, gives quite some insights how it works. - - sort of a normal BSD install, not really automatic - - seems to be for OpenBSD 4.9, not for 5.x - ./install[332]: /usr/mdec/installboot: not found - some files in etc missing -- Soekris256: - - http://256.com/gray/docs/soekris_openbsd_diskless/ + - http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works. + sort of a normal BSD install, not really automatic + seems to be for OpenBSD 4.9, not for 5.x ./install[332]: /usr/mdec/installboot: not found some files in etc missing + - Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/ more high-level: @@ -119,68 +123,52 @@ others: ## Hardware -At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), some -have VGA ports and USBs, others only COMs, so make sure we always +At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), +some have VGA ports and USBs, others only COMs, so make sure we always get boot output on COM. -Now at Eurospider we run it on a Soekris net6501. +Now at Eurospider we run it on a Soekris net6501, but I'm not going to +update and test that one anymore. At home I'm running it on an ALIX.2D13 with 3 LAN ports and a WLAN card. - -## VirtualBox build and test +VirtualBox build and test Create a VMDK wrapper for the disk image built with 'build.sh firewall-test': -``` -VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image -``` + VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox. -Use COM1 and `/tmp/serial`, host pipe, create pipe in VirtualBox, then: - -``` -socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0 -``` - -The network devices is 'em0' not 'reX' on VirtualBox (as opposed to -the real box, at the time of writting there is no Realtek ethernet -card emulated in VirtualBox). +Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then: -## Troubleshooting + socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0 -### DMA issues +The network devices is 'em0' not 'reX' on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). +Troubleshooting +DMA issues If you get something like -``` pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21 -``` -then change the access mode from DMA to PIO x -See man wd(4) for the values of flags +then change the access mode from DMA to PIO x See man wd(4) for the values of flags -``` -config -e -o /bsd.new /bsd + config -e -o /bsd.new /bsd -UKC> change wd -change (y/n) ? y -channel [-1] ? -1 -flags [0] ? 0xff0 -UKC> quit + UKC> change wd + change (y/n) ? y + channel [-1] ? -1 + flags [0] ? 0xff0 + UKC> quit -mv -f /bsd.new /bsd -``` + mv -f /bsd.new /bsd ## Links to guides and documentation -- Manpages of OpenBSD. +- Manpages of OpenBSD - http://home.nuug.no/~peter/pf/en/long-firewall.html and his "Book of PF". -- limit handling in production (connection states): - http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/ +- limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/ ## Other projects -- http://securityrouter.org, OpenBSD-based, free and commercial versions - available, has a GUI - +http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI -- cgit v1.2.3-54-g00ecf