1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
# OpenBSD firewall via scripts
## History
Earlier versions of this project were used at Eurospider by
Mihai Barbos (https://github.com/mbarbos) to build
corporate-style firewalls with Portwell hardware.
Newer versions run on Soekris hardware now.
I (https://github.com/andreasbaumann/) merely collected
the ideas and updated them to new versions of OpenBSD
and cleaned up the repository a little bit. :-)
And I'm using it at home.
## Install
Check disk geometry of flash with:
```
disklabel wd0
```
Adapt disk geometry in `hardware/[machine]/flash_params`.
```
Run 'build.sh [machine] [flash_profile]'.
```
Transfer image to flash:
```
dd if=[machine].img of=/dev/wd0c
```
or remotely (after booting from floppy dongle or from hard disk):
```
dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c"
```
## Directory layout
- build.sh: central build script
- doc: various documentation
- template: common files with variables being substituted and then copied to the image
- config: machine-specific configuration (e.g. pf.conf)
- hardware: flash disk geometry for specific machines
## News
19.10.2017:
- updated to OpenBSD 6.2
14.4.2017:
- updated to OpenBSD 6.1
18.9.2016:
- updated to OpenBSD 6.0
15.7.2016:
- updated to OpenBSD 5.9
17.1.2016:
- updated to OpenBSD 5.8
- example shows how to use two nsd's and one unbound to replace a split horizon
configuration formerly done with bind views
## Roadmap
- improve update process, preferably an in-situ update via TFTP
- deal with logging
- sensord
- remote syslog
- various playgrounds
- ospf, pfsync, carp
- automatic acme and relayd certificate renewal for HTTPS relaying
## Other Embedded OpenBSD projects
possible small OpenBSD makers (low level):
- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002,
looks like OpenBSD 3.x was the last version tested
- Flashboot: http://www.mindrot.org/projects/flashboot/
- Flashrd/Flashdist:
- http://www.nmedia.net/flashrd/rlsnotes.html
- https://github.com/yellowman/flashrd/
- http://www.nmedia.net/~chris/soekris/: original page which has gone,
flashdist is the older version of flashrd. The EIT
firewalls where based on early scripts of Chris Cappuccio
(early flashdist)
- Bowlfish:
- http://www.kernel-panic.it/software/bowlfish/: latest version 2.1
seems a little bit old (11.4.2013). The description about Embedded
OpenBSD is very worthy to read, gives quite some insights how it works.
- sort of a normal BSD install, not really automatic
- seems to be for OpenBSD 4.9, not for 5.x
./install[332]: /usr/mdec/installboot: not found
some files in etc missing
- Soekris256:
- http://256.com/gray/docs/soekris_openbsd_diskless/
more high-level:
- http://opensoekris.sourceforge.net/
- http://compactbsd.sourceforge.net/
others:
- https://andrewmemory.wordpress.com/tag/flashrd/
- http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html
- http://glozer.net/soekris/cf-install.html
- http://verb.bz/2011/06/12/openbsd-embedded-router/
## Hardware
At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), some
have VGA ports and USBs, others only COMs, so make sure we always
get boot output on COM.
Now at Eurospider we run it on a Soekris net6501.
At home I'm running it on an ALIX.2D13 with 3 LAN ports and a WLAN card.
## VirtualBox build and test
Create a VMDK wrapper for the disk image built with 'build.sh firewall-test':
```
VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image
```
Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox.
Use COM1 and `/tmp/serial`, host pipe, create pipe in VirtualBox, then:
```
socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0
```
The network devices is 'em0' not 'reX' on VirtualBox (as opposed to
the real box, at the time of writting there is no Realtek ethernet
card emulated in VirtualBox).
## Troubleshooting
### DMA issues
If you get something like
```
pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21
```
then change the access mode from DMA to PIO x
See man wd(4) for the values of flags
```
config -e -o /bsd.new /bsd
UKC> change wd
change (y/n) ? y
channel [-1] ? -1
flags [0] ? 0xff0
UKC> quit
mv -f /bsd.new /bsd
```
## Links to guides and documentation
- Manpages of OpenBSD.
- http://home.nuug.no/~peter/pf/en/long-firewall.html and his "Book of PF".
- limit handling in production (connection states):
http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/
## Other projects
- http://securityrouter.org, OpenBSD-based, free and commercial versions
available, has a GUI
|
