Veghead's Guide to OpenBSD Firewalls

This guide is old and refers to OpenBSD 2.5
You'd be far better off looking at the new guide.

Introduction

If you are thinking of implementing a firewall for you network, you will probably be bombarded by many vendors trying to sell you a variety of off-the-shelf firewall solutions for large amounts of money. However, with a small investment in effort you can have one of the most effective and secure firewalls in a small amount of time, just for the cost of a PC.

Everyone knows that OpenBSD is the most secure PC operating system around. That is one of the main reasons why it makes the perfect firewall. Its simple, free, open-source, secure, reliable and will help you sleep soundly at night.

OpenBSD will work on a variety of platforms but this doument is mainly concerned with Intel architecture. Not for any othe rreason than it is widely available and cheap. Essentially this small introduction can be applied to any architecture without much difficulty.

This tutorial explains the process of constructing a bridging firewall with OpenBSD.

First off

Install OpenBSD

This is relatively straightforward, to start off with - go to http://www.openbsd.org/, find your closest mirror, and follow the install instructions.

In a nutshell, you download an floppy disk image (currently named floppy25.fs), put it onto a disk using dd or rawrite.exe and boot from it. You'll get asked lots of simple questions, given the opportunity to partition your hard-disk and asked how you want to install. FTP is a good method and if you decide to use it, you'll get offered a list of FTP servers to use. Choose the nearest to you and let it happen. Hey presto - installed.

When you reboot into OpenBSD, type:

man afterboot

which has got lots of suggestions for what to do initially.

Personally I do the following:

Finally - send some hardware or money to the openbsd project buy buying something - a cd-rom or t-shirt. Its a wonderful operating system and needs your support.

Kernel Support

You will need to make sure the kernel has packet filtering enabled. In OpenBSD 2.5 it is part of the GENERIC config, and so you can ignore this section. However if for some reason you dont have it then you will need to compile a new kernel but DONT PANIC - it really is simple. Here's how to do it in a nutshell.

Constructing a bridge

The first step in making the firewall is to turn the BSD box into a bridge. This means that all traffic on each interface will be forwarded to the other interface. Without any filtering this would allow the joining together of two ethernet networks.

The simplest configuration is to use one of your two ethernet cards as your main interface, which will be given an IP address. The other card will be brought up but will not have any IP addresses associated with it.

Lets assume you have two ethernet adapters, which manifest themselves in the kernel as 'xl0' and 'xl1'. Arbitrarily we'll make 'xl0' the main interface. The commands to configure the cards and the bridge would be:

ifconfig xl0 <ipaddress> netmask <netmask> up
ipconfig xl1 up
brconfig bridge0 add xl0 add xl1 maxaddr 2000 up
This would configure both interfaces, add them to the bridge0 device, and make the bridge active. The 'maxaddr 2000' term specifies how many MAC addresses are to be remembered by the bridging cache. Set this to the upper limit of how many mac addresses will be available on the network.

OpenBSD provides a simple way to configure the network adapters at boot up. To do this, create a file called '/etc/hostname.xl0' and place the following inside using your favourite text editor:

inet <ipaddress> <netmask> NONE
for example:
inet 10.0.0.1 255.0.0.0 NONE

All we want to do to xl1 is to bring it up. So we create /etc/hostname.xl1 simply containing the word:

up

Next, the bridge device. Place the following into /etc/bridgename.bridge0


add xl0 add xl1 maxaddr 2000 up

Finally, we edit /etc/rc.conf.
Look for the line that starts

ipfilter=
and modify it to say
ipfilter=YES
This is also a good time to also turn off any other junk you won't need. eg
inetd=NO
portmap=NO
At boot time, these files will be consulted by /etc/netstart and the interfaces configured accordingly as if you had typed the commands manually. When the OS comes up, the interfaces will be bridging.

The man pages for brconfig, bridge and ifconfig are well worth reading.

Filtering Traffic

Whether you use ethernet, Frame Relay, ATM or PPP, IP filtering rules will all apply. This is due to the wonderful BSD networking architecture.