diff options
Diffstat (limited to 'content/software/OpenBSD_firewall.md')
-rw-r--r-- | content/software/OpenBSD_firewall.md | 222 |
1 files changed, 222 insertions, 0 deletions
diff --git a/content/software/OpenBSD_firewall.md b/content/software/OpenBSD_firewall.md new file mode 100644 index 0000000..baa9794 --- /dev/null +++ b/content/software/OpenBSD_firewall.md @@ -0,0 +1,222 @@ ++++ +title = "OpenBSD-Firewall" +description = "OpenBSD firewall via scripts" ++++ + +## History + +Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) +to build corporate-style firewalls with Portwell hardware. + +It ran on a Soekris net6501 for 4 years. + +Newer versions run on a Network LES of Thomas Krenn now. + +I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-) + +And I'm using it at home on an Alix 2D.13. + +## Git + +Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git +or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/. + +## Install + +Check disk geometry of flash with: + + disklabel wd0 + +Adapt disk geometry in hardware/[machine]/flash_params. + +Run 'build.sh [machine] [flash_profile]', e.g. + + build.sh firewall-test firewall-test + +Transfer image to flash: + + dd if=[machine].img of=/dev/wd0c + +or remotely (after booting from floppy dongle or from hard disk): + + dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c" + +## Directory layout + +- build.sh: central build script +- doc: various documentation +- template: common files with variables being substituted and then copied to the image +- config: machine-specific configuration (e.g. pf.conf) +- hardware: flash disk geometry for specific machines + +## News + +14.4.2024: + + updated to OpenBSD 7.5 + +19.10.2023: + + updated to OpenBSD 7.4 + +20.4.2023: + + updated to OpenBSD 7.3 + +22.10.2022: + + updated to OpenBSD 7.2 + +1.5.2022: + + updated to OpenBSD 7.1 + +24.10.2021: + + updated to OpenBSD 7.0 + +3.6.2021: + + updated to OpenBSD 6.9 + +22.10.2020: + + updated to OpenBSD 6.8 + +5.6.2020: + + updated to OpenBSD 6.7 + +20.10.2019: + + updated to OpenBSD 6.6 + +11.05.2019: + + updated to OpenBSD 6.5 + +28.10.2018: + + updated to OpenBSD 6.4 + +06.05.2018: + + moved repository from Github to a local repository. + +15.04.2018: + + updated to OpenBSD 6.3 + +19.10.2017: + + updated to OpenBSD 6.2 + +14.4.2017: + + updated to OpenBSD 6.1 + +18.9.2016: + + updated to OpenBSD 6.0 + +15.7.2016: + + updated to OpenBSD 5.9 + +17.1.2016: + + updated to OpenBSD 5.8 + example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views + +## Roadmap + +- update to new versions of OpenBSD as they come along +- improve update process, preferably an in-situ update via TFTP +- deal with logging + - sensord + - remote syslog +- various playgrounds + - ospf, pfsync, carp + - automatic acme and relayd certificate renewal for HTTPS relaying + +## Other Embedded OpenBSD projects + +Possible small OpenBSD makers (low level): + +- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested +- Flashboot: http://www.mindrot.org/projects/flashboot/ +- Flashrd/Flashdist: + - http://www.nmedia.net/flashrd/rlsnotes.html + - https://github.com/yellowman/flashrd/ + - http://www.nmedia.net/~chris/soekris/: original page which has gone, flashdist is the older version of flashrd. The EIT firewalls where based on early scripts of Chris Cappuccio (early flashdist) +- Bowlfish: + - http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works. + sort of a normal BSD install, not really automatic + seems to be for OpenBSD 4.9, not for 5.x ./install[332]: /usr/mdec/installboot: not found some files in etc missing + - Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/ + +more high-level: + +- http://opensoekris.sourceforge.net/ +- http://compactbsd.sourceforge.net/ + +others: + +- https://andrewmemory.wordpress.com/tag/flashrd/ +- http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html +- http://glozer.net/soekris/cf-install.html +- http://verb.bz/2011/06/12/openbsd-embedded-router/ + +## Hardware + +At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), +some have VGA ports and USBs, others only COMs, so make sure we always +get boot output on COM. + +It ran on a Soekris net6501 for 4 years, then the Soekris died. + +Newer versions run on a Network LES of Thomas Krenn now. + +At home I'm running it on an ALIX.2D13 with 3 LAN ports and a WLAN card. + +## VirtualBox build and test + +Create a VMDK wrapper for the disk image built with 'build.sh firewall-test': + + VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image + +Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox. + +Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then: + + socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0 + +The network devices is 'em0' not 'reX' on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). +Troubleshooting +DMA issues + +If you get something like + + pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21 + +then change the access mode from DMA to PIO x See man wd(4) for the values of flags + + config -e -o /bsd.new /bsd + + UKC> change wd + change (y/n) ? y + channel [-1] ? -1 + flags [0] ? 0xff0 + UKC> quit + + mv -f /bsd.new /bsd + +## Links to guides and documentation + +- Manpages of OpenBSD +- http://home.nuug.no/~peter/pf/en/long-firewall.html and his "Book of PF". +- limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/ + +## Other projects + +http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI |