From b08020c31d2d6400e63c1b49ecb9c27dcb6f65fd Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Tue, 5 Jun 2018 21:14:32 +0200 Subject: renamed README.md to README (is hugo markup now) --- README | 169 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 174 -------------------------------------------------------------- 2 files changed, 169 insertions(+), 174 deletions(-) create mode 100644 README delete mode 100644 README.md diff --git a/README b/README new file mode 100644 index 0000000..a35b55c --- /dev/null +++ b/README @@ -0,0 +1,169 @@ +## History + +Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) +to build corporate-style firewalls with Portwell hardware. + +Newer versions run on Soekris hardware now. + +I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-) + +And I'm using it at home. + +## Github + +The old unsupported version can still be found on https://github.com/Eurospider/OpenBSD-firewall. + +Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git +or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/. + +## Install + +Check disk geometry of flash with: + + disklabel wd0 + +Adapt disk geometry in hardware/[machine]/flash_params. + +Run 'build.sh [machine] [flash_profile]', e.g. + + build.sh firewall-test firewall-test + +Transfer image to flash: + + dd if=[machine].img of=/dev/wd0c + +or remotely (after booting from floppy dongle or from hard disk): + + dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c" + +## Directory layout + +- build.sh: central build script +- doc: various documentation +- template: common files with variables being substituted and then copied to the image +- config: machine-specific configuration (e.g. pf.conf) +- hardware: flash disk geometry for specific machines + +## News + +06.05.2018: + + The firewall at Eurospider has not been updated in years and I'm fed up with + Github and the world in general, so I moved the repo and abandoned the old + development area on Github. + +15.04.2018: + + updated to OpenBSD 6.3 + +19.10.2017: + + updated to OpenBSD 6.2 + +14.4.2017: + + updated to OpenBSD 6.1 + +18.9.2016: + + updated to OpenBSD 6.0 + +15.7.2016: + + updated to OpenBSD 5.9 + +17.1.2016: + + updated to OpenBSD 5.8 + example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views + +## Roadmap + +- update to new versions of OpenBSD as they come along +- improve update process, preferably an in-situ update via TFTP +- deal with logging + - sensord + - remote syslog +- various playgrounds + - ospf, pfsync, carp + - automatic acme and relayd certificate renewal for HTTPS relaying + +## Other Embedded OpenBSD projects + +Possible small OpenBSD makers (low level): + +- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested +- Flashboot: http://www.mindrot.org/projects/flashboot/ +- Flashrd/Flashdist: + - http://www.nmedia.net/flashrd/rlsnotes.html + - https://github.com/yellowman/flashrd/ + - http://www.nmedia.net/~chris/soekris/: original page which has gone, flashdist is the older version of flashrd. The EIT firewalls where based on early scripts of Chris Cappuccio (early flashdist) +- Bowlfish: + - http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works. + sort of a normal BSD install, not really automatic + seems to be for OpenBSD 4.9, not for 5.x ./install[332]: /usr/mdec/installboot: not found some files in etc missing + - Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/ + +more high-level: + +- http://opensoekris.sourceforge.net/ +- http://compactbsd.sourceforge.net/ + +others: + +- https://andrewmemory.wordpress.com/tag/flashrd/ +- http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html +- http://glozer.net/soekris/cf-install.html +- http://verb.bz/2011/06/12/openbsd-embedded-router/ + +## Hardware + +At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), +some have VGA ports and USBs, others only COMs, so make sure we always +get boot output on COM. + +Now at Eurospider we run it on a Soekris net6501, but I'm not going to +update and test that one anymore. + +At home I'm running it on an ALIX.2D13 with 3 LAN ports and a WLAN card. +VirtualBox build and test + +Create a VMDK wrapper for the disk image built with 'build.sh firewall-test': + + VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image + +Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox. + +Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then: + + socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0 + +The network devices is 'em0' not 'reX' on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). +Troubleshooting +DMA issues + +If you get something like + + pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21 + +then change the access mode from DMA to PIO x See man wd(4) for the values of flags + + config -e -o /bsd.new /bsd + + UKC> change wd + change (y/n) ? y + channel [-1] ? -1 + flags [0] ? 0xff0 + UKC> quit + + mv -f /bsd.new /bsd + +## Links to guides and documentation + +- Manpages of OpenBSD +- http://home.nuug.no/~peter/pf/en/long-firewall.html and his "Book of PF". +- limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/ + +## Other projects + +http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI diff --git a/README.md b/README.md deleted file mode 100644 index a03ec00..0000000 --- a/README.md +++ /dev/null @@ -1,174 +0,0 @@ -+++ -title = "OpenBSD-Firewall" -description = "OpenBSD firewall via scripts" -+++ - -## History - -Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) -to build corporate-style firewalls with Portwell hardware. - -Newer versions run on Soekris hardware now. - -I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-) - -And I'm using it at home. - -## Github - -The old unsupported version can still be found on https://github.com/Eurospider/OpenBSD-firewall. - -Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git -or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/. - -## Install - -Check disk geometry of flash with: - - disklabel wd0 - -Adapt disk geometry in hardware/[machine]/flash_params. - -Run 'build.sh [machine] [flash_profile]', e.g. - - build.sh firewall-test firewall-test - -Transfer image to flash: - - dd if=[machine].img of=/dev/wd0c - -or remotely (after booting from floppy dongle or from hard disk): - - dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c" - -## Directory layout - -- build.sh: central build script -- doc: various documentation -- template: common files with variables being substituted and then copied to the image -- config: machine-specific configuration (e.g. pf.conf) -- hardware: flash disk geometry for specific machines - -## News - -06.05.2018: - - The firewall at Eurospider has not been updated in years and I'm fed up with - Github and the world in general, so I moved the repo and abandoned the old - development area on Github. - -15.04.2018: - - updated to OpenBSD 6.3 - -19.10.2017: - - updated to OpenBSD 6.2 - -14.4.2017: - - updated to OpenBSD 6.1 - -18.9.2016: - - updated to OpenBSD 6.0 - -15.7.2016: - - updated to OpenBSD 5.9 - -17.1.2016: - - updated to OpenBSD 5.8 - example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views - -## Roadmap - -- update to new versions of OpenBSD as they come along -- improve update process, preferably an in-situ update via TFTP -- deal with logging - - sensord - - remote syslog -- various playgrounds - - ospf, pfsync, carp - - automatic acme and relayd certificate renewal for HTTPS relaying - -## Other Embedded OpenBSD projects - -Possible small OpenBSD makers (low level): - -- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested -- Flashboot: http://www.mindrot.org/projects/flashboot/ -- Flashrd/Flashdist: - - http://www.nmedia.net/flashrd/rlsnotes.html - - https://github.com/yellowman/flashrd/ - - http://www.nmedia.net/~chris/soekris/: original page which has gone, flashdist is the older version of flashrd. The EIT firewalls where based on early scripts of Chris Cappuccio (early flashdist) -- Bowlfish: - - http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works. - sort of a normal BSD install, not really automatic - seems to be for OpenBSD 4.9, not for 5.x ./install[332]: /usr/mdec/installboot: not found some files in etc missing - - Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/ - -more high-level: - -- http://opensoekris.sourceforge.net/ -- http://compactbsd.sourceforge.net/ - -others: - -- https://andrewmemory.wordpress.com/tag/flashrd/ -- http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html -- http://glozer.net/soekris/cf-install.html -- http://verb.bz/2011/06/12/openbsd-embedded-router/ - -## Hardware - -At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), -some have VGA ports and USBs, others only COMs, so make sure we always -get boot output on COM. - -Now at Eurospider we run it on a Soekris net6501, but I'm not going to -update and test that one anymore. - -At home I'm running it on an ALIX.2D13 with 3 LAN ports and a WLAN card. -VirtualBox build and test - -Create a VMDK wrapper for the disk image built with 'build.sh firewall-test': - - VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image - -Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox. - -Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then: - - socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0 - -The network devices is 'em0' not 'reX' on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). -Troubleshooting -DMA issues - -If you get something like - - pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21 - -then change the access mode from DMA to PIO x See man wd(4) for the values of flags - - config -e -o /bsd.new /bsd - - UKC> change wd - change (y/n) ? y - channel [-1] ? -1 - flags [0] ? 0xff0 - UKC> quit - - mv -f /bsd.new /bsd - -## Links to guides and documentation - -- Manpages of OpenBSD -- http://home.nuug.no/~peter/pf/en/long-firewall.html and his "Book of PF". -- limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/ - -## Other projects - -http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI -- cgit v1.2.3-54-g00ecf