Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) to build corporate-style firewalls with Portwell hardware.
It ran on a Soekris net6501 for 4 years.
Newer versions run on a Network LES of Thomas Krenn now.
I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-)
And I’m using it at home on an Alix 2D.13.
Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/.
Check disk geometry of flash with:
Adapt disk geometry in hardware/[machine]/flash_params.
Run ‘build.sh [machine] [flash_profile]’, e.g.
build.sh firewall-test firewall-test
Transfer image to flash:
dd if=[machine].img of=/dev/wd0c
or remotely (after booting from floppy dongle or from hard disk):
dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c"
- build.sh: central build script
- doc: various documentation
- template: common files with variables being substituted and then copied to the image
- config: machine-specific configuration (e.g. pf.conf)
- hardware: flash disk geometry for specific machines
updated to OpenBSD 6.8
updated to OpenBSD 6.7
updated to OpenBSD 6.6
updated to OpenBSD 6.5
updated to OpenBSD 6.4
moved repository from Github to a local repository.
updated to OpenBSD 6.3
updated to OpenBSD 6.2
updated to OpenBSD 6.1
updated to OpenBSD 6.0
updated to OpenBSD 5.9
updated to OpenBSD 5.8 example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views
- update to new versions of OpenBSD as they come along
- improve update process, preferably an in-situ update via TFTP
- deal with logging
- remote syslog
- various playgrounds
- ospf, pfsync, carp
- automatic acme and relayd certificate renewal for HTTPS relaying
Other Embedded OpenBSD projects
Possible small OpenBSD makers (low level):
- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested
- Flashboot: http://www.mindrot.org/projects/flashboot/
- http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works. sort of a normal BSD install, not really automatic seems to be for OpenBSD 4.9, not for 5.x ./install: /usr/mdec/installboot: not found some files in etc missing
- Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/
At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), some have VGA ports and USBs, others only COMs, so make sure we always get boot output on COM.
Now at Eurospider we run it on a Soekris net6501.
At home I’m running it on an ALIX.2D13 with 3 LAN ports and a WLAN card.
VirtualBox build and test
Create a VMDK wrapper for the disk image built with ‘build.sh firewall-test’:
VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image
Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox.
Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then:
socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0
The network devices is ‘em0’ not ‘reX’ on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). Troubleshooting DMA issues
If you get something like
pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21
then change the access mode from DMA to PIO x See man wd(4) for the values of flags
config -e -o /bsd.new /bsd UKC> change wd change (y/n) ? y channel [-1] ? -1 flags  ? 0xff0 UKC> quit mv -f /bsd.new /bsd
Links to guides and documentation
- Manpages of OpenBSD
- http://home.nuug.no/~peter/pf/en/long-firewall.html and his “Book of PF”.
- limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/
http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI