Everyone knows that OpenBSD is the most secure PC operating system around. That is one of the main reasons why it makes the perfect firewall. Its simple, free, open-source, secure, reliable and will help you sleep soundly at night.
OpenBSD will work on a variety of platforms but this doument is mainly concerned with Intel architecture. Not for any othe rreason than it is widely available and cheap. Essentially this small introduction can be applied to any architecture without much difficulty.
This tutorial explains the process of constructing a bridging firewall with OpenBSD.
This is relatively straightforward, to start off with - go to http://www.openbsd.org/, find your closest mirror, and follow the install instructions.
In a nutshell, you download an floppy disk image (currently named floppy25.fs), put it onto a disk using dd or rawrite.exe and boot from it. You'll get asked lots of simple questions, given the opportunity to partition your hard-disk and asked how you want to install. FTP is a good method and if you decide to use it, you'll get offered a list of FTP servers to use. Choose the nearest to you and let it happen. Hey presto - installed.
When you reboot into OpenBSD, type:
man afterboot
Personally I do the following:
Finally - send some hardware or money to the openbsd project buy buying something - a cd-rom or t-shirt. Its a wonderful operating system and needs your support.
option IPFILTER option IPFILTER_LOG pseudo-device bridge 2add them if they're not already there.
The simplest configuration is to use one of your two ethernet cards as your main interface, which will be given an IP address. The other card will be brought up but will not have any IP addresses associated with it.
Lets assume you have two ethernet adapters, which manifest themselves in the kernel as 'xl0' and 'xl1'. Arbitrarily we'll make 'xl0' the main interface. The commands to configure the cards and the bridge would be:
ifconfig xl0 <ipaddress> netmask <netmask> up ipconfig xl1 up brconfig bridge0 add xl0 add xl1 maxaddr 2000 upThis would configure both interfaces, add them to the bridge0 device, and make the bridge active. The 'maxaddr 2000' term specifies how many MAC addresses are to be remembered by the bridging cache. Set this to the upper limit of how many mac addresses will be available on the network.
OpenBSD provides a simple way to configure the network adapters at boot up. To do this, create a file called '/etc/hostname.xl0' and place the following inside using your favourite text editor:
inet <ipaddress> <netmask> NONEfor example:
inet 10.0.0.1 255.0.0.0 NONE
All we want to do to xl1 is to bring it up. So we create /etc/hostname.xl1 simply containing the word:
up
Next, the bridge device. Place the following into /etc/bridgename.bridge0
add xl0 add xl1 maxaddr 2000 up
Finally, we edit /etc/rc.conf.
Look for the line that starts
ipfilter=and modify it to say
ipfilter=YESThis is also a good time to also turn off any other junk you won't need. eg
inetd=NO portmap=NOAt boot time, these files will be consulted by /etc/netstart and the interfaces configured accordingly as if you had typed the commands manually. When the OS comes up, the interfaces will be bridging.
The man pages for brconfig, bridge and ifconfig are well worth reading.