August 15th, 2002, 21:16
Ok everyone. NAT is now functioning on my firewall!!!!

Not sure exactly what the problem was, but I fixed it.

What did I do?

Simple: Deleted my nat.conf file and recreated a new nat.conf file from scratch. (I use vi...vi all the way! :) )

This is all it contained:

#Declare interfaces
ext_if = "dc0"

nat on $ext_if from to any -> $ext_if

Ran pfctl -N /etc/nat.conf NO ERRORS!!

Well, that works but i've run into a little snag.

On my LAN, my computers can ping the gateway, however, I cant reach the internet.
WHen I try to ping a known IP that will work, I get Destination unreachable.

Now this is where im going to need some help on what type of tests I need to run to make sure everything is functioning correctly.

I'm new to this part, so please bear with me. I did take some netstat -rn and here are the results:

Hmm, I cant get the results to turn out neatly here. It gets all mumbled together. Thoughts?

Let me know what other tests I can run and I can post the results ASAP.



August 15th, 2002, 21:24
can you ping the outside world from the gateway?

if yes, then verify you are forwarding packets:
# sysctl -w net.inet.ip.forwarding
net.inet.ip.forwarding = 1
if that's a 0, then you are not forwarding packets. as root, enter:
sysctl -w net.inet.ip.forwarding=1
and edit /etc/sysctl.conf to set that var to 1 as well.
if it already is set to 1, then try a traceroute and see where the packets stop. you might want to change your firewall rules to simple pass in pass out everythin to eliminate that as a block.

if you cannot ping the outside world from your gateway, then you need to verify your external nic is working and has a good ip. again you might want to disable firewall block rules until you can ping the outside world, then enable rules one at a time until you can no longer ping, that rule is the problem.

that should give you some work...

August 15th, 2002, 21:28
I'll give that a whirl, see what I can come up with.

Last I checked, net.inet.ip.forwarding was uncommented and set to 1. I will double check.

I will also go through my rules, one by one and see what I can do. :)

I will update asap.

FYI, have a meeting tonight so I have to leave around 6pm (grrrr) so if I dont update then, its because of my meeting. :)


August 15th, 2002, 21:48
Sheesh. I think im going to have to just format and reinstall.

I rebooted my machine and now nat is screwed up again. :shock:

Nat i get this error:

/etc/nat.conf:4: nat ip versions must match
pfctl: syntax error in file: nat rules not loaded

This is like a soap opera.

Im about ready to pull my hair out.

Maybe a fresh install? I'd have to install via FTP. If so, what is recommended? The general release or a snapshot?

Tarballed, who is beyond frustrated ::grrrrrrr::

August 15th, 2002, 22:11
/etc/nat.conf:4: nat ip versions must match pfctl: syntax error in file: nat rules not loaded

dc0 has no ip associated with it. check the output of
ifconfig dc0

it should be getting one via dhcp, yes? during boot you probably noticed a bunch of messages about htis, and it probably took a long time.

try the following:

first, find and kill off dhclient:
kill `ps auxw|grep dhclient|grep -v grep |cut-c10-15`
verify it isnt running:
ps auxw|grep dhclient
run dhclient:
dhclient -1 dc0
this may take a while if you do not get an ip.

if it does not get an ip, then try this:
pfctl -R /dev/null
dhclient -1 dc0

does it get an ip now?

if so, something in your pf rules is blocking it from getting an ip.

if it does not get an ip, then check your cabling. make sure 'ifconfig dc0' at least reports 'status: active'

August 16th, 2002, 01:22

Im typing this while behind my beautiful OpenBSD FIREWALL!!!!

I made a few changes and now it's working. I'm not exactly sure what I did, but its now working.

Thanks for everyones input! It feel soooo good to have this up and running!

Thanks elmore, frisco, minion, bsdjunkie for all your input and helping me get this up and running!!

I feel like a kid in a Candy store! :)


August 16th, 2002, 01:26
hehe 8)

/me hacks tarballed setup to see if its right :P j/k =P

August 16th, 2002, 01:32
hehe :shock:

I will probably be bugging you guys here pretty soon on how to lock down my box even more and stop unecessary services as well as monitoring my firewall.

Real quickly. I need to make sure sendmail is turned of completely.

For example, here is sendmail in rc.conf:

# For normal use: "-L sm-mta -bd -q30m"
sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"

Can I just set sendmail to NO?

Do you recommend quota and portmap set to NO as well?

Thanks bsdjunkie :)


August 16th, 2002, 01:58
For my firewalls I ALWAYS load the bare minimum.

When I load OpenBSD on a firewall I load no man pages, compiler, apache, ports nothing. A firewall should be as stipped down as possible. Nothing but the smallest install possible.

Also, I believe there are about 14 patches out for OpenBSD 3.1 no. Make sure, MAKE double sure, you have all of your patches installed. 3.1 is great but it has had more than its share of problems. just make sure you patch your box.

As far as hardening your box goes I recommend at least the following

In rc.conf I always diable inetd and portmapper I always run just the bare minimum services. I also only allow root to run cronjobs (especially since I never add additional users (outside of a one off Operator account) to a firewall.) .

There are lots of other things you can do but, those should get you started.

August 16th, 2002, 02:03
yeah., waht elmore said. as far as sendmail. it does not listen to network by default, but turning it off if not needed is still good idea.


August 16th, 2002, 02:09
Ya, i'm planning on running a completely bare firewall. I figure the more stuff on the firewall running, their are more doors open. I've only created one operator account as well.

I'm not running apache, ports, sendmail and anything else I can strip down to lock this bad boy down.

One thing I do need to learn though is patching. I'm going to try and find some documentation here tonight so I can find out HOW to patch my box.

If anyone has some links or words of advice for patching, go ahead and fire it at me. :) I need the practice.

Thanks again guys. You guys are great!


August 16th, 2002, 02:48
Real quickly. I need to make sure sendmail is turned of completely.

For example, here is sendmail in rc.conf:

# For normal use: "-L sm-mta -bd -q30m"
sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"

Can I just set sendmail to NO?

Do you recommend quota and portmap set to NO as well?

keep in mind some mail will be very useful, like the daily/weekly/monthly reports. that said, if you really want to turn off sendmail, set it to 'NO' in rc.conf, comment out the sendmail line in root crontab, and kill off the currently running version.

go ahead and set quota and portmap to NO as well, and inetd while you're at it (but dont forget you did that in case the purpose of the box sometime changes).

as for monitoring, the daily/weekly/monthly scripts are quite handy. log'ing appropriate firewall rules is handy. keep logs an appropriate amount of time (look at /etc/newsyslog.conf). logging to a remote machine may be appropriate too; at work we have a couple machines running as deicated syslog servers - all they do is log other machine's messages. snort may be handy (popular, robust IDS - instrusion detection system), as may swatch and other log monitoring utilities.

dont forget to scan your firewall. learn to use Their tools - nmap is great. look at the utils in /usr/ports/net and /usr/ports/security for other good tools (foreach port, the file /usr/ports/net/$PORT/pkg/DESCR will be handy to DESCRibe what the utility does).

if you really really need to lock down your box, then look into securelevel, chflags and mount options (noexec, nosetuid).

for any given unix system, take a look at what is running (that is, what started at boottime) and what will be running (via at, cron). make sure you understand the conf files associated with those processes, the reasons they are running, the way they should normally appear when running, how they start/stop. yeah it's a lot of work, no you wont do it overnight, yes over time you will learn all of it.

August 16th, 2002, 02:59
Thanks frisco. I really appreciate all of your help.

Yep, i'm very new, but im extremely eager to learn and have a absolute blast doing it. It's amazing how much fun all this stuff can be.

Back on topic, once I set portmap, inetd and quotas to NO, I need to reboot?

I dont have any ports installed at this time, but the idea of adding additional network tools (nmap for example) is very tempting.

Also, I plan to comb over cron as much as I can this weekend as well as study up on CVS, patching and anything else I come across.

Just to double check, once i've put NO to those services, do I need to reboot the box? Just wanted to check.

Thanks again!


August 16th, 2002, 03:17
Hmmmmm...... I don;t want to put words into friscos mouth but I am sure he means scanning your box via a remote host. Adding packages like nmap etc. (while they're great tools) is probably not something you want to add to your firewall. Indeed, you'd have a hard time getting an accurate reading from nmap if you scanned the box you were scanning from.

I.E. Use a seperate box. scan from both the inside and the outside. A scan like the below example should produce some good initial results.

nmap -v -v -v -v -sS -P0 -O xxx.xxx.xxx.xxx

Where x = the ip of the box you're scanning.

August 16th, 2002, 03:17
Just to double check, once i've put NO to those services, do I need to reboot the box? Just wanted to check.

my brain is real tired right now but i think the correct answer is:
no need to reboot, but you really should anyways.

If you do not reboot, then you must stop the appropriate services since they are already running. But if you can, you should always reboot after making changes to startup files. if you dont reboot for months, and then you do, and something goes wrong, you may forget what changes you made. you reboot now so that you are sure your machine can come up unsupervised. Make sure it can come up unsupervised - the day will come that you've set up an OpenBSD firewall for your mother/friend/customer and you will want to make sure you don't have to drive out there everytime a power outage reboots the box.

while you're learning things this weekend, you may also want to check out everything in rc(8), particularly /etc/rc and /etc/netstart - these may help you understand why things worked/didnt work when you were having troubles before. fwiw whenever i set up a new openbsd box i also look through everything in /etc/*conf just to refresh my memory and make sure i'm not missing something.

August 16th, 2002, 03:26
Hmmmmm...... I don;t want to put words into friscos mouth but I am sure he means scanning your box via a remote host.

yup, install nmap and other scanning utils on other machines, scan firewall from there.
snort and logwatching utils can go on the firewall, if necessary (starts to depend on how much hardware you have to throw at a project)

aside: ftp bounce scan might produce accurate results even when run from the firewall.

August 16th, 2002, 11:19
Thanks guys. Great information. I plan to have a major sit down this weekend with my OpenBSD box so we can get to know each other very well. :)

My next step is to apply all of the patches I need. Once I have this done, time to disable any services I dont need. (portmap, quotas identd).

(Still researching on the proper way to apply a patch :) think i've got the general idea, but not sure. Im going off of OpenBSD FAQ. CVS sounds very cool as well)

I would like to install snort on my Firewall box for IDS.

Also, would like to setup some logging on my firewall so I can become familiar with logs, decypher the logs and know whats going on with my firewall.

This is so much fun. I absolutely love it! I woke up in the middle of the night just to play with my LAN. hehehe

Thanks for everyones help and input. It's really pulled me through this and has me speeding into the next direction.

All suggestions and advice are welcome. Thanks everyone.


August 20th, 2002, 09:41
Someone said in the thread that it is a good idea to switch off sendmail. This is not the case! A lot of apps rely on sendmail functionality, most importantly is the daily, weekly and monthly security output. Also other things like an invalid sudo (which could point you right to a cracker) etc.

sendmail does not listen on the external interfaces and is therefore safe.