tarballed
August 20th, 2002, 17:31
Hello everyone. I wanted to share my experience with setting up my first OpenBSD firewall. I'm hoping that people new to OpenBSD who are looking for a firewall will find this helpful in getting them up and running.
Equipment I used:
The OpenBSD Firewall/Gateway had the following specs:
P120
32mb RAM
6.4 gig drive
3.5 drive
Two NIC cards.
Just about any system will do. I was fortunate to pick up this system for $10 at a local computer place.
To start with I did a FTP install of OpenBSD. This is very easy and their is a very good step by step process on the OpenBSD web page.
After you have installed OpenBSD, its time to make a few changes and configurations.
1) Turn on Packet Filter (im assuming PF will be used since it comes built into the kernel with 3.0 and 3.1)
Edit rc.conf and change the pf line from NO to YES.
2) Turn off any uneccessary services. I turned off portmap, quotas and identd.
3) Make sure you edit sysctl.conf to enable packet forwarding:
remove the # in front of: net.inet.ip.forwarding=1
Check your hostname files for your NIC's:
For example, I have two nic's in my firewall. One is labelled ep0 and the other is dc0. You should see two hostname. files in your /etc directory. Mine were /etc/hostname.ep0 and /etc/hostname.dc0.
For me, ep0 was connected directly to my cable modem and dc0 was the second NIC connecting to my switch and internal lan.
If you are connected via cable modem for example, your external hostname file will contain the following:
dhcp NONE NONE NONE
Your internal NIC can contain the following:
inet 192.168.1.1 255.255.255.0 media autoselect
For me, ep0 (external) contained: dhcp NONE NONE NONE
and dc0 contains: inet 192.168.1.1 255.255.255.0 media autoselect
Your interfaces are now set.
Now its time to edit your pf.conf and nat.conf rules.
I highly recommend you read the Networking section (FAQ 6) on the openbsd.org web site. Very good information on how to build your pf.conf and nat.conf rules.
You can check out some examples of nat and pf rules at the following thread:
http://screamingelectron.org/phpBB2/viewtopic.php?t=45
!VERY Important! Make sure that when you are editing your pf.conf and nat.conf rules that you have all your wiring correct and setup. What I mean is, make sure your internal NIC is connected to the uplink port on your switch or hub. Reason being is that, if it is not, when you try and load your nat.conf rules, it will not load. It needs to have a active connection. So make sure your external NIC is active with a valid IP and your internal NIC is connected with a Crossover cable to the uplink port on your switch or hub. Very important!
One problem I was having was with my nat.conf rules. I'm not exactly sure what the problem was, but they were not loading correctly which caused PF not to load.
After some troubleshooting, this is what I did to resolve my issue. I backed up my old nat.conf as nat.conf.old. I then recreated a nat.conf file using vi. I added the basics in the nat.conf file.
Once that was finished, I then executed the command: pfctl -N /etc/nat.conf to reload my nat rules.
If you receive no errors, then everything is working correctly. If you receive errors, their is a problem with that nat.conf file which you will be able to see after you execute the pfctl -N /etc/nat.conf command
Once you run pfctl -N /etc/nat.conf then run pfctl -R /etc/pf.conf to test your pf rules for any errors.
Once you have that all done, you need to setup your internal LAN computers with the correct network information.
Change the network info, fire it up and you should be all set.
Hope this helps.
Thanks to everyone who helped me out with my firewall. elmore, bsdjunkie, frisco andminion.
Tarballed
Equipment I used:
The OpenBSD Firewall/Gateway had the following specs:
P120
32mb RAM
6.4 gig drive
3.5 drive
Two NIC cards.
Just about any system will do. I was fortunate to pick up this system for $10 at a local computer place.
To start with I did a FTP install of OpenBSD. This is very easy and their is a very good step by step process on the OpenBSD web page.
After you have installed OpenBSD, its time to make a few changes and configurations.
1) Turn on Packet Filter (im assuming PF will be used since it comes built into the kernel with 3.0 and 3.1)
Edit rc.conf and change the pf line from NO to YES.
2) Turn off any uneccessary services. I turned off portmap, quotas and identd.
3) Make sure you edit sysctl.conf to enable packet forwarding:
remove the # in front of: net.inet.ip.forwarding=1
Check your hostname files for your NIC's:
For example, I have two nic's in my firewall. One is labelled ep0 and the other is dc0. You should see two hostname. files in your /etc directory. Mine were /etc/hostname.ep0 and /etc/hostname.dc0.
For me, ep0 was connected directly to my cable modem and dc0 was the second NIC connecting to my switch and internal lan.
If you are connected via cable modem for example, your external hostname file will contain the following:
dhcp NONE NONE NONE
Your internal NIC can contain the following:
inet 192.168.1.1 255.255.255.0 media autoselect
For me, ep0 (external) contained: dhcp NONE NONE NONE
and dc0 contains: inet 192.168.1.1 255.255.255.0 media autoselect
Your interfaces are now set.
Now its time to edit your pf.conf and nat.conf rules.
I highly recommend you read the Networking section (FAQ 6) on the openbsd.org web site. Very good information on how to build your pf.conf and nat.conf rules.
You can check out some examples of nat and pf rules at the following thread:
http://screamingelectron.org/phpBB2/viewtopic.php?t=45
!VERY Important! Make sure that when you are editing your pf.conf and nat.conf rules that you have all your wiring correct and setup. What I mean is, make sure your internal NIC is connected to the uplink port on your switch or hub. Reason being is that, if it is not, when you try and load your nat.conf rules, it will not load. It needs to have a active connection. So make sure your external NIC is active with a valid IP and your internal NIC is connected with a Crossover cable to the uplink port on your switch or hub. Very important!
One problem I was having was with my nat.conf rules. I'm not exactly sure what the problem was, but they were not loading correctly which caused PF not to load.
After some troubleshooting, this is what I did to resolve my issue. I backed up my old nat.conf as nat.conf.old. I then recreated a nat.conf file using vi. I added the basics in the nat.conf file.
Once that was finished, I then executed the command: pfctl -N /etc/nat.conf to reload my nat rules.
If you receive no errors, then everything is working correctly. If you receive errors, their is a problem with that nat.conf file which you will be able to see after you execute the pfctl -N /etc/nat.conf command
Once you run pfctl -N /etc/nat.conf then run pfctl -R /etc/pf.conf to test your pf rules for any errors.
Once you have that all done, you need to setup your internal LAN computers with the correct network information.
Change the network info, fire it up and you should be all set.
Hope this helps.
Thanks to everyone who helped me out with my firewall. elmore, bsdjunkie, frisco andminion.
Tarballed