OpenBSD-Firewall
History
Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) to build corporate-style firewalls with Portwell hardware.
It ran on a Soekris net6501 for 4 years.
Newer versions run on a Network LES of Thomas Krenn now.
I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-)
And I’m using it at home on an Alix 2D.13.
Git
Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/.
Install
Check disk geometry of flash with:
disklabel wd0
Adapt disk geometry in hardware/[machine]/flash_params.
Run ‘build.sh [machine] [flash_profile]’, e.g.
build.sh firewall-test firewall-test
Transfer image to flash:
dd if=[machine].img of=/dev/wd0c
or remotely (after booting from floppy dongle or from hard disk):
dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c"
Directory layout
- build.sh: central build script
- doc: various documentation
- template: common files with variables being substituted and then copied to the image
- config: machine-specific configuration (e.g. pf.conf)
- hardware: flash disk geometry for specific machines
News
20.4.2023:
updated to OpenBSD 7.3
22.10.2022:
updated to OpenBSD 7.2
1.5.2022:
updated to OpenBSD 7.1
24.10.2021:
updated to OpenBSD 7.0
3.6.2021:
updated to OpenBSD 6.9
22.10.2020:
updated to OpenBSD 6.8
5.6.2020:
updated to OpenBSD 6.7
20.10.2019:
updated to OpenBSD 6.6
11.05.2019:
updated to OpenBSD 6.5
28.10.2018:
updated to OpenBSD 6.4
06.05.2018:
moved repository from Github to a local repository.
15.04.2018:
updated to OpenBSD 6.3
19.10.2017:
updated to OpenBSD 6.2
14.4.2017:
updated to OpenBSD 6.1
18.9.2016:
updated to OpenBSD 6.0
15.7.2016:
updated to OpenBSD 5.9
17.1.2016:
updated to OpenBSD 5.8
example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views
Roadmap
- update to new versions of OpenBSD as they come along
- improve update process, preferably an in-situ update via TFTP
- deal with logging
- sensord
- remote syslog
- various playgrounds
- ospf, pfsync, carp
- automatic acme and relayd certificate renewal for HTTPS relaying
Other Embedded OpenBSD projects
Possible small OpenBSD makers (low level):
- CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested
- Flashboot: http://www.mindrot.org/projects/flashboot/
- Flashrd/Flashdist:
- http://www.nmedia.net/flashrd/rlsnotes.html
- https://github.com/yellowman/flashrd/
- http://www.nmedia.net/~chris/soekris/: original page which has gone, flashdist is the older version of flashrd. The EIT firewalls where based on early scripts of Chris Cappuccio (early flashdist)
- Bowlfish:
- http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works. sort of a normal BSD install, not really automatic seems to be for OpenBSD 4.9, not for 5.x ./install[332]: /usr/mdec/installboot: not found some files in etc missing
- Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/
more high-level:
others:
- https://andrewmemory.wordpress.com/tag/flashrd/
- http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html
- http://glozer.net/soekris/cf-install.html
- http://verb.bz/2011/06/12/openbsd-embedded-router/
Hardware
At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), some have VGA ports and USBs, others only COMs, so make sure we always get boot output on COM.
It ran on a Soekris net6501 for 4 years, then the Soekris died.
Newer versions run on a Network LES of Thomas Krenn now.
At home I’m running it on an ALIX.2D13 with 3 LAN ports and a WLAN card.
VirtualBox build and test
Create a VMDK wrapper for the disk image built with ‘build.sh firewall-test’:
VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image
Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox.
Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then:
socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0
The network devices is ’em0’ not ‘reX’ on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). Troubleshooting DMA issues
If you get something like
pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21
then change the access mode from DMA to PIO x See man wd(4) for the values of flags
config -e -o /bsd.new /bsd
UKC> change wd
change (y/n) ? y
channel [-1] ? -1
flags [0] ? 0xff0
UKC> quit
mv -f /bsd.new /bsd
Links to guides and documentation
- Manpages of OpenBSD
- http://home.nuug.no/~peter/pf/en/long-firewall.html and his “Book of PF”.
- limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/
Other projects
http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI