Earlier versions of this project were used at Eurospider by Mihai Barbos ( to build corporate-style firewalls with Portwell hardware.

It ran on a Soekris net6501 for 4 years.

Newer versions run on a Network LES of Thomas Krenn now.

I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-)

And I’m using it at home on an Alix 2D.13.


Further development happens on git:// or


Check disk geometry of flash with:

disklabel wd0

Adapt disk geometry in hardware/[machine]/flash_params.

Run ‘ [machine] [flash_profile]’, e.g. firewall-test firewall-test

Transfer image to flash:

dd if=[machine].img of=/dev/wd0c

or remotely (after booting from floppy dongle or from hard disk):

dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c"

Directory layout

  • central build script
  • doc: various documentation
  • template: common files with variables being substituted and then copied to the image
  • config: machine-specific configuration (e.g. pf.conf)
  • hardware: flash disk geometry for specific machines



updated to OpenBSD 7.3


updated to OpenBSD 7.2


updated to OpenBSD 7.1


updated to OpenBSD 7.0


updated to OpenBSD 6.9


updated to OpenBSD 6.8


updated to OpenBSD 6.7


updated to OpenBSD 6.6


updated to OpenBSD 6.5


updated to OpenBSD 6.4


moved repository from Github to a local repository.


updated to OpenBSD 6.3


updated to OpenBSD 6.2


updated to OpenBSD 6.1


updated to OpenBSD 6.0


updated to OpenBSD 5.9


updated to OpenBSD 5.8
example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views


  • update to new versions of OpenBSD as they come along
  • improve update process, preferably an in-situ update via TFTP
  • deal with logging
    • sensord
    • remote syslog
  • various playgrounds
    • ospf, pfsync, carp
    • automatic acme and relayd certificate renewal for HTTPS relaying

Other Embedded OpenBSD projects

Possible small OpenBSD makers (low level):

more high-level:



At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), some have VGA ports and USBs, others only COMs, so make sure we always get boot output on COM.

It ran on a Soekris net6501 for 4 years, then the Soekris died.

Newer versions run on a Network LES of Thomas Krenn now.

At home I’m running it on an ALIX.2D13 with 3 LAN ports and a WLAN card.

VirtualBox build and test

Create a VMDK wrapper for the disk image built with ‘ firewall-test’:

VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image

Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox.

Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then:

socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0

The network devices is ’em0’ not ‘reX’ on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). Troubleshooting DMA issues

If you get something like

pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21

then change the access mode from DMA to PIO x See man wd(4) for the values of flags

config -e -o / /bsd

UKC> change wd
change (y/n) ? y
channel [-1] ? -1
flags [0] ? 0xff0
UKC> quit

mv -f / /bsd

Other projects, OpenBSD-based, free and commercial versions available, has a GUI