Setting up an OpenBSD Firewall
From Docupedia
Date: 09/29/2005 3.8 Update: 04/29/2006
Shout Out To: Jeff Smith and Ben Klang
Contents |
Overview
The goal of this tutorial is to transform some old, crappy box you got for free into a badass, super secure, packet-filtering machine.
Why use OpenBSD?
OpenBSD sometimes called obsd should be the first thing that comes to mind when you want an advanced, full-featured firewall. It is extremely light-weight and the most secure distro by default. The biggest features of obsd are PFSync and CARP for creating clustered, fail-safe firewalls. Also its born and raised in Canada... lucky!
Expectations
This tutorial will guide through the install and setup of an OpenBSD firewall for a home or small buisness as opposed to a fail-across clustered firewall for your datacenter (or so you can play Counter-Strike Source and only get a jitter on a full node failure).
I am using OpenBSD as opposed to some linux distro mainly because of the security out of the box and its extreme light-weight usage of resources. Any machine I can get my hands on will make a great dedicated firewall.
Pre-Installation
Checklist
- Read Creating a bootable OpenBSD ISO to create a standalone install disc or alternatively use the method below for a network install.
- Get the install media at one of the OpenBSD ftp mirrors.
- Goto ftp://ftp.openbsd.org/pub/OpenBSD/3.8/ and navigate through your version and architecture . I'll be installing version 3.8 (the latest version at this time) on a plain jane Pentium 3 (i386).
- Follow the Creating and OpenBSD iso howto in this same section.
- Burn this ISO to create the boot disc you'll start the install from.
- You can install using a floppy image as well but CD is just easier. The CD comes with the most drivers so its less hassle.
- I'll be using one 20Gb IDE harddrive - this is super overkill but its hard to find 1 or 2Gb drives sometimes.
- We'll be doing a network install so make sure you know your network configuration or are using DHCP.
- Since we are building a dedicated firewall cluster box, we need three NICs, one for the dirty interface, one for the clean, and one for the carp interface which the firewalls will use to broadcast their current state.
- I'm using 256Mb of Ram but 32Mb or 64Mb would be more then enough.
Installation
Starting the Install
Boot from the CD we made. It'll come to an open prompt, either wait 5 seconds or type boot to get it started.
After the system is done detecting hardware, you'll get to the boot menu:
erase ^?, werase ^W, kill ^U, intr ^C, status T (I)nstall, (U)pgrade or (S)hell? _
Type i and enter.
You'll then be asked for your terminal type:
Terminal type? [vt220]
Type enter
Then a keyboard type. Most of us will be using the US:
kdb(8) mapping? ('?' for list) [none]
Type us
Preparing the disk
The installer will ask you about your monitor and keyboard. You can mostly just press enter to choose the defaults but if you are using a funky monitor or foreign language keyboard map, you'll have to let the installer know what you're using.
IS YOUR DATA BACKED UP? As with anything... ... Proceed with install? [no]
I don't care about anything on the harddrive at this point, so i'm going to proceed: type y and enter.
Available disks are: wd0 Which one is the root disk? (or 'done') [wd0]
This is detecting our only harddrive (wd0) and asking if its going to be our root disk. Press enter to continue.
Do you want to use *all* of wd0 for OpenBSD? [no]
Again, i don't care about the harddrive so i'll just use it all, type y and enter.
Creating a disklabel
Next we create a disklabel which tells the installer how to partition up the disk. We could seperate each root into its own partition but that isn't too important for our home application so we'll just use the entire disk. Typing p prints the partition table.
a: 12578832 63 unused 0 0 c: 12582912 0 unused 0 0
Here we have two partitions, c:, which is the entire disk, and a:, which is the OpenBSD partition over the entire disk. But we don't have a swap partition. So we will delete the a:, add a swap, and then re-add a::
d a - deletes the a: partition.
a b - creates a new partition named b with a couple other questions.
> d a > > a b offset: [63] size: [12578832] 256M Rounding to nearest cylinder: 524097 FS type: [swap]
b is a default partition for the swap partition so will automatically come up with the file system type as swap.
We then want to re-add the single large partition back in now that we have our swap.
> a a offset: [262080] size: [12316815] FS type: [4.2BSD] mount point: [none] /
We make a: partition, the default offset is fine (automatically goes after the swap), size uses up the rest of the disk, FS Type is the BSD file type and we change our mount point to / to set it as root.
Our disk label should be complete. Type p to take a look:
> p
size offset fstype
a: 12316815 262080 4.2BSD
b: 262017 63 swap
c: 12582912 0 unused
So thats showing us that c: is the entire disk, a: is the root partition taking up almost all the disk, and b: is our 256M swap. Looks like we are ready to continue.
Type q and then enter to get to partitioning confirmation and y at the confirmation to apply.
System Setup
Alrighty, finished partitioning, now we are prompted for the hostname - enter whatever you like.
Network Configuration
Next we do want to configure the network so type y.
Available interfaces are: rl0 vr0. Which one do you wish to initialize? (or 'done') [rl0]
So we see both of our NICs, determine which one you want to be external and which one will be the internal. I'll be using the Realtek rl0 as the external.
It then asks for a symbolic hostname. Convention and habit from using Smoothwall back in the day makes me name external interfaces red and internal green, so i'll name it red.
Since its external i'll just be using dhcp for its configuration.
Next we do the green interface. Since it'll be the internal gateway we want a static ip, so i'll set the ip to 10.6.7.254 (or whatever you want your internal network to be). Netmask is usually fine, but adjust accordingly as needed.
I can usually just use the defaults for DNS Domain Name and nameserver ips are they should be picked up via the external dhcp. Default route is dhcp and barring any wierdo problems you shouldn't need to do any editing or manual configuration.
Install Sets
After adding your root account password you'll be prompted for the location of the install sets.
Sets can be located on a (m)ounted filesystem; a (c)drom, (d)isk or (t)ape device; or a (f)tp, (n)fs or (h)ttp server. Where are the install sets? (or 'done')
If you chose to create a bootable self-contained OpenBSD CD as described in Creating a bootable OpenBSD ISO, choose 'c' in the above menu. If not, you'll need to have working internet access and press either 'f' or 'h' to initiate a network install.
I usually remove the game38.tgz by typing:
Set name? (or 'done')[bsd.mp] -game38.tgz enter Set name? (or 'done')[bsd.mp] done enter
Now install the sets and go get a drink well it does its thing.
Final Configuration
Location of sets? (cd disk ftp http or 'done')
type done
Start sshd(8) by default? [yes]
type enter
Start ntpd(8) by default? [no]
type enter
Do you expect to run the X Window System? [yes]
type no then press enter
Change the default console to com? [no]
type enter
Choose your timezone: I'm in Canada/Pacific
That should be about it. Now go play cs. "Welcome to the Server ... Lets play..."
