OpenBSD-Firewall

History

Earlier versions of this project were used at Eurospider by Mihai Barbos (https://github.com/mbarbos) to build corporate-style firewalls with Portwell hardware.

It ran on a Soekris net6501 for 4 years.

Newer versions run on a Network LES of Thomas Krenn now.

I merely collected the ideas and updated them to new versions of OpenBSD and cleaned up the repository a little bit. :-)

And I’m using it at home on an Alix 2D.13.

Git

Further development happens on git://git.andreasbaumann.cc/OpenBSD-firewall.git or http://git.andreasbaumann.cc/cgit/OpenBSD-firewall/.

Install

Check disk geometry of flash with:

disklabel wd0

Adapt disk geometry in hardware/[machine]/flash_params.

Run ‘build.sh [machine] [flash_profile]’, e.g.

build.sh firewall-test firewall-test

Transfer image to flash:

dd if=[machine].img of=/dev/wd0c

or remotely (after booting from floppy dongle or from hard disk):

dd if=[machine].img | ssh [machine] "dd of=/dev/wd1c"

Directory layout

• build.sh: central build script
• doc: various documentation
• template: common files with variables being substituted and then copied to the image
• config: machine-specific configuration (e.g. pf.conf)
• hardware: flash disk geometry for specific machines

News

20.4.2023:

updated to OpenBSD 7.3

22.10.2022:

updated to OpenBSD 7.2

1.5.2022:

updated to OpenBSD 7.1

24.10.2021:

updated to OpenBSD 7.0

3.6.2021:

updated to OpenBSD 6.9

22.10.2020:

updated to OpenBSD 6.8

5.6.2020:

updated to OpenBSD 6.7

20.10.2019:

updated to OpenBSD 6.6

11.05.2019:

updated to OpenBSD 6.5

28.10.2018:

updated to OpenBSD 6.4

06.05.2018:

moved repository from Github to a local repository.

15.04.2018:

updated to OpenBSD 6.3

19.10.2017:

updated to OpenBSD 6.2

14.4.2017:

updated to OpenBSD 6.1

18.9.2016:

updated to OpenBSD 6.0

15.7.2016:

updated to OpenBSD 5.9

17.1.2016:

updated to OpenBSD 5.8
example shows how to use two nsd's and one unbound to replace a split horizon configuration formerly done with bind views

Roadmap

• update to new versions of OpenBSD as they come along
• improve update process, preferably an in-situ update via TFTP
• deal with logging
  • sensord
  • remote syslog
• various playgrounds
  • ospf, pfsync, carp
  • automatic acme and relayd certificate renewal for HTTPS relaying

Other Embedded OpenBSD projects

Possible small OpenBSD makers (low level):

• CompactBSD: http://compactbsd.sourceforge.net/, back in 2002, looks like OpenBSD 3.x was the last version tested
• Flashboot: http://www.mindrot.org/projects/flashboot/
• Flashrd/Flashdist:
  • http://www.nmedia.net/flashrd/rlsnotes.html
  • https://github.com/yellowman/flashrd/
  • http://www.nmedia.net/~chris/soekris/: original page which has gone, flashdist is the older version of flashrd. The EIT firewalls where based on early scripts of Chris Cappuccio (early flashdist)
• Bowlfish:
  • http://www.kernel-panic.it/software/bowlfish/: latest version 2.1 seems a little bit old (11.4.2013). The description about Embedded OpenBSD is very worthy to read, gives quite some insights how it works. sort of a normal BSD install, not really automatic seems to be for OpenBSD 4.9, not for 5.x ./install[332]: /usr/mdec/installboot: not found some files in etc missing
  • Soekris256: http://256.com/gray/docs/soekris_openbsd_diskless/

more high-level:

• http://opensoekris.sourceforge.net/
• http://compactbsd.sourceforge.net/

others:

• https://andrewmemory.wordpress.com/tag/flashrd/
• http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html
• http://glozer.net/soekris/cf-install.html
• http://verb.bz/2011/06/12/openbsd-embedded-router/

Hardware

At Eurospider we had Portwell NAR-2054 (3 and 5 ethernet port versions), some have VGA ports and USBs, others only COMs, so make sure we always get boot output on COM.

It ran on a Soekris net6501 for 4 years, then the Soekris died.

Newer versions run on a Network LES of Thomas Krenn now.

At home I’m running it on an ALIX.2D13 with 3 LAN ports and a WLAN card.

VirtualBox build and test

Create a VMDK wrapper for the disk image built with ‘build.sh firewall-test’:

VBoxManage internalcommands createrawvmdk -filename firewall-test.vmdk -rawdisk firewall-test.image

Copy firewall-test.image from OpenBSD machine to the machine running Virtualbox.

Use COM1 and /tmp/serial, host pipe, create pipe in VirtualBox, then:

socat unix-connect:/tmp/serial stdio,raw,echo=0,icanon=0

The network devices is ’em0’ not ‘reX’ on VirtualBox (as opposed to the real box, at the time of writting there is no Realtek ethernet card emulated in VirtualBox). Troubleshooting DMA issues

If you get something like

pciide0:0:0: bus-master DMA error: missing interrupt, status=0x21

then change the access mode from DMA to PIO x See man wd(4) for the values of flags

config -e -o /bsd.new /bsd

UKC> change wd
change (y/n) ? y
channel [-1] ? -1
flags [0] ? 0xff0
UKC> quit

mv -f /bsd.new /bsd

Links to guides and documentation

• Manpages of OpenBSD
• http://home.nuug.no/~peter/pf/en/long-firewall.html and his “Book of PF”.
• limit handling in production (connection states): http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd/

Other projects

http://securityrouter.org, OpenBSD-based, free and commercial versions available, has a GUI