moved OpenBSD-firewall from github

2 files changed, 176 insertions, 0 deletions

diff --git a/content/software/OpenBSD_firewall.md b/content/software/OpenBSD_firewall.md
new file mode 100644
index 0000000..a03ec00
--- /dev/null
+++ b/content/software/OpenBSD_firewall.md
@@ -0,0 +1,174 @@
++++
+title = "OpenBSD-Firewall"
+description = "OpenBSD firewall via scripts"
++++
+
+## History
+
+Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) 
+to build corporate-style firewalls with Portwell hardware.
+
+Newer versions run on Soekris hardware now.
+
+I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-)
+
+And I'm using it at home.
+
+## Github
+
+The old unsupported version can still be found on https://github.com/Eurospider/OpenBSD-firewall.
+
+Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git
+or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/.
+
+## Install
+
+Check disk geometry of flash with:
+
+    disklabel wd0
+
+Adapt disk geometry in hardware/[machine]/flash_params.
+
+Run 'build.sh [machine] [flash_profile]', e.g.
+
+    build.sh firewall-test firewall-test
+
+Transfer image to flash:
+
+    dd if=[machine].img of=/dev/wd0c
+
+or remotely (after booting from floppy dongle or from hard disk):
+
+    dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c"
+
+## Directory layout
+
+- build.sh: central build script
+- doc: various documentation
+- template: common files with variables being substituted and then copied to the image
+- config: machine-specific configuration (e.g. pf.conf)
+- hardware: flash disk geometry for specific machines
+
+## News
+
+06.05.2018:
+
+    The firewall at Eurospider has not been updated in years and I'm fed up with
+    Github and the world in general, so I moved the repo and abandoned the old
+    development area on Github.
+
+15.04.2018:
+
+    updated to OpenBSD 6.3
+
+19.10.2017:
+
+    updated to OpenBSD 6.2
+
+14.4.2017:
+
+    updated to OpenBSD 6.1
+
+18.9.2016:
+
+    updated to OpenBSD 6.0
+
+15.7.2016:
+
+    updated to OpenBSD 5.9
+
+17.1.2016:
+
+    updated to OpenBSD 5.8
+    example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views
+
+## Roadmap
+
+- update to new versions of OpenBSD as they come along
+- improve update process, preferably an in-situ update via TFTP
+- deal with logging
+  - sensord
+  - remote syslog
+- various playgrounds
+  - ospf, pfsync, carp
+  - automatic acme and relayd certificate renewal for HTTPS relaying
+
+## Other Embedded OpenBSD projects
+
+Possible small OpenBSD makers (low level):
+
+- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested
+- Flashboot: http://www.mindrot.org/projects/flashboot/
+- Flashrd/Flashdist:
+  - http://www.nmedia.net/flashrd/rlsnotes.html
+  - https://github.com/yellowman/flashrd/
+  - http://www.nmedia.net/~chris/soekris/: original page which has gone, flashdist is the older version of flashrd. The EIT firewalls where based on early scripts of Chris Cappuccio (early flashdist)
+- Bowlfish:
+  - http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works.
+    sort of a normal BSD install, not really automatic
+    seems to be for OpenBSD 4.9, not for 5.x ./install[332]: /usr/mdec/installboot: not found some files in etc missing
+  - Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/
+
+more high-level:
+
+- http://opensoekris.sourceforge.net/
+- http://compactbsd.sourceforge.net/
+
+others:
+
+- https://andrewmemory.wordpress.com/tag/flashrd/
+- http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html
+- http://glozer.net/soekris/cf-install.html
+- http://verb.bz/2011/06/12/openbsd-embedded-router/
+
+## Hardware
+
+At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), 
+some have VGA ports and USBs, others only COMs, so make sure we always 
+get boot output on COM.
+
+Now at Eurospider we run it on a Soekris net6501, but I'm not going to
+update and test that one anymore.
+
+At home I'm running it on an ALIX.2D13 with 3 LAN ports and a WLAN card.
+VirtualBox build and test
+
+Create a VMDK wrapper for the disk image built with 'build.sh firewall-test':
+
+  VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image
+
+Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox.
+
+Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then:
+
+  socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0
+
+The network devices is 'em0' not 'reX' on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox).
+Troubleshooting
+DMA issues
+
+If you get something like
+
+    pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21
+
+then change the access mode from DMA to PIO x See man wd(4) for the values of flags
+
+    config -e -o /bsd.new /bsd
+
+    UKC> change wd
+    change (y/n) ? y
+    channel [-1] ? -1
+    flags [0] ? 0xff0
+    UKC> quit
+
+    mv -f /bsd.new /bsd
+
+## Links to guides and documentation
+
+- Manpages of OpenBSD
+- http://home.nuug.no/~peter/pf/en/long-firewall.html and his "Book of PF".
+- limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/
+
+## Other projects
+
+http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI
diff --git a/content/software/_index.md b/content/software/_index.md
index 4ae4cb3..cf5a707 100644
--- a/content/software/_index.md
+++ b/content/software/_index.md
@@ -30,5 +30,7 @@ title = "Software"
 
 ## Administration
 
+* [OpenBSD-firewall](/software/openbsd_firewall): a set of scripts
+  for building a small OpenBSD firewall appliance
 * [Nagios libcurl plugin](/software/nagios_plugin_curl): a
   [Nagios](http://www.nagios.org) plugin replacing check_http