From 8b9b2922e529f2f524fa06b4d98390a6d3d5a75e Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Fri, 14 Jul 2017 10:50:30 +0200 Subject: forgot to add openbsd applicance blog?! --- content/blog/openbsd-firewall-appliance-intro.md | 212 +++++++++++++++++++++++ 1 file changed, 212 insertions(+) create mode 100644 content/blog/openbsd-firewall-appliance-intro.md diff --git a/content/blog/openbsd-firewall-appliance-intro.md b/content/blog/openbsd-firewall-appliance-intro.md new file mode 100644 index 0000000..622ded3 --- /dev/null +++ b/content/blog/openbsd-firewall-appliance-intro.md @@ -0,0 +1,212 @@ ++++ +title = "OpenBSD firewall applicance - Intro" +categories = [ "OpenBSD", "Security" ] +date = "2017-06-15T09:25:47+02:00" +thumbnail = "/images/blog/openbsd-firewall-appliance-intro/alix_rpi.jpg" + ++++ + +## History + +Since some time our company [Eurospider](https://www.eurospider.com) +was using home-grown firewalls based on OpenBSD. Our administrator +at this time (Mihai Barbos, https://github.com/mbarbos) decided to +use Portwell NAR-2054 hardware with 3 up to 5 ethernet ports +and run a customized OpenBSD on it. + +Now the company firewall is a Soekris net6501 as the Portwell +firewalls started to become a little bit rusty. There is still +one Portwell left in use for a control network serving access +to remote management consoles of our servers. + +Also at home I'm using this solution on an +[Alix 2D.13](https://pcengines.ch/alix.htm) with 3 +ethernet ports. + +## Concepts + +In theory you could just go with a default installation +and customize from there. A well-known security principle though +is to put the minimal amount of services onto a machine and add +only the things really needed to do the job. + +Another solution would have been to go with an appliance like +[PfSense](https://www.pfsense.org), but they always provide +some user interface (written in Lua, Php, etc.). +Web technology is not really in the base of OpenBSD, only +in the ports, so this could open a security threat. + +A good security feature is to work with read-only media. In the +case of the Alix and the Portwell this is a compact flash, in +case of the Soekris a mini-USB-dongle. This prevents wearout and +more importantly, no processes can write onto the system (but +for a mfs (memory file system) for the /tmp directory. + +Instead of a clicky-clicky web interface which generates a +big unreadable set of configuration files (for instance +firewall rules), I personally prefer a text editor and simple +rules. Again, complexity in a firewall setup is a no-go, the +less complex it is, the more likely you understand all rules +you put in there. And understanding what you are doing is the +key to a secure system. + +So, we start from a build-machine running a standard OpenBSD. +From there a build script (build.sh) creates a virtual filesystem +(vnode disks, vnconfig, the Linux world would use loopback devices). +This image is then transfered with 'dd' to the real media (compact +flash or USB stick). + +The early scripts are based on scripts from Chris Cappuccio, +sadly I was not able to find the original webpage anymore. + +## Customization + +The build.sh script takes a directory called 'template'. This +directory contains files which are copied as is to the image. +Usually this directory needs synching with the host system every +time you upgrade OpenBSD. + +All binaries and required libraries are fetched from the +host system runing OpenBSD. + +The directory 'config' contains files per appliance you want +to build. + +Basic network connectivity is configured in the following files: + +``` + rc.net + dhclient.conf + hosts + networks + rc.net +``` + +The 'rc.net' file is a snippet which gets added to the boot +script '/etc/rc'. There you set up the network directly with +OpenBSD commands like: + +``` + dhclient vr0 + ifconfig bridge0 create + ifconfig bridge0 add vr1 + ifconfig bridge0 add vr2 + route add -net 192.168.1.0/24 192.168.1.1 +``` + +The firewall lives in one file 'pf.conf' and contains the +standard OpenBSD firewall rules: + +``` +# interfaces +ext_if = vr0 +... +match out on $ext_if from nat-to ($ext_if) +... +pass in quick on $ext_if proto udp from port 67 to port 68 +... +``` + +The other snippet which gets added to '/etc/rc' is +'rc.services'. There you start all services you want to +run on the machine: + +``` +echo unbound: starting DNS resolver.. +cp -R /etc/unbound /tmp/var/unbound +/usr/sbin/unbound +``` + +You also put all required files for each service into that directory. For instance: + +* for DHCP: dhcpd.conf + +``` +shared-network LAN { + ... + + subnet 192.168.1.0 netmask 255.255.255.0 { + option routers 192.168.1.1; + range 192.168.1.128 192.168.1.249; + } +``` + +* for NTP: ntpd.conf + +``` +servers pool.ntp.org +listen on 127.0.0.1 +listen on 192.168.1.1 +``` + +* for DNS resolving and caching (unbound subdir with unbound.conf) + +* for DNS server you need a need one configuration directory per + view (for a split-horizon setup): + +``` +nsd-external/ +nsd-external/run +nsd-external/run/xfr +nsd-external/run/xfr/.gitkeep +nsd-external/zones +nsd-external/zones/myzone +nsd-external/zones/somebodyelseszone +nsd-external/etc +nsd-external/etc/nsd.conf +``` + +(this I will cover in another article, as it is a little bit more +tricky to set up). + +* Relaying traffic with relayd, relayd.conf: + +``` +... +http protocol "http_protocol" { + ... + match request quick header "Host" value "www.mydomain.com" \ + forward to no tag +} +... +``` + +Finally you create a file with the CHS parameters of your media +(yes, this is needed for bootloading on OpenBSD) in a file +called 'hardware/myfirewall/flash_params': + +``` +BYTES_PER_SECTOR=512 +SECTORS_PER_TRACK=32 +TRACKS_PER_CYLINDER=16 +SECTORES_PER_CYLINDER=512 +CYLINDERS=978 +OFFSET=32 +``` + +To create the image you simple call: + +``` +./build.sh [your config profile] [flash_params profile] +``` + +## Future + +I'm trying to keep up with new versions of OpenBSD. + +I would like to test more things around the following topics: + +- monitoring of firewall data (pflogd), sensor logging, remote syslog +- play with redundancy (CARP) +- automatic acme and relayd certificate renewal for HTTPS relaying +- in-situ updates: currently I have to open the device, remove the flash, + stuff it into a floppy to compact flash adapter, write the image, put + it back. This is tedious. :-) + +## Github + +The whole project can be found on Github: + +http://github.com/andreasbaumann/OpenBSD-firewall + +Feedback welcome. :-) -- cgit v1.2.3-54-g00ecf