Building an OpenBSD 3.6 firewall/router...

Erik Thorsson · 02-09-2005, 09:14 PM

Part one: I've got this old AT-style, Socket7 266MHz machine here with 256MB RAM -- do you think it's sufficient to act as a router/firewall between our broadband cable Internet connection and our house LAN (3-4 clients concurrently accessing the Internet)?

Part two: In this old AT box I've got one 10Mbps card, and one 100Mpbs card. All our PCs are 100Mbps NICs. I figure I'll face the 10Mbps card out to the world (i.e. the cable modem), since we're not going to pull 10Mbps off the cable line anyway. Right? I've only seen us pull 3-5Mbps tops.

Part three: I don't have a switch, but I have our old D-Link router (DI-624). If there is nothing plugged into the WAN port and I turn the DHCP server off, will it act as a switch??? I have an old Linksys router that I have used like this, as a switch, before.

What do you think?

-E

btmiller · 02-10-2005, 09:59 PM

(1) Should be more than enough. My current router is an old PII 366 MHz with 128 MB of RAM and an old 1.2 GB hard drive, running OpenBSD 3.6.

(2) Also sounds good. You should probably check the NICs with the OpenBSD hardware compatibility list to be sure. I think some cable modems can only do 10 Mbps, and as you said, you wouldn't pull more than that from a cable line anyways.

(3) Again, sounds fine, but you should probably check the switch's docs if you have it. You can get fast ethernet switches dirt cheap these days anyway, if it doesn't work for some reason.

halo14 · 02-11-2005, 10:26 AM

Sounds like a great idea... but if you are a little bit new... would recommend checking out SmoothWall at www.smoothwall.org

It very easy to set up and administer(administration is all done via a web interface from a remote machine onthe LAN, similar to a cheap Linksys router, or the like), it gives you great logs of blocked traffic, and also uses snort for intrusion detection including logs. It can do DHCP, port forwarding, VPN, and all kind of other stuff.. It would run great on that box... I have one running on a 200 MHz MMX with 32 MB of RAM.. i ave Snort disabled.. but it runs great.. and i do a lot of downloading.. and this is with 5 computers and 2 laptops that get access through it..

It's definitely worth checking out.. OpenBSD will make a fantastic firewall/router as well.. it just takes more setup..

sigsegv · 02-11-2005, 11:07 AM

Smoothwall is Linux. If you want a BSD based firewall, checkout netboz (Weird license on it) or monowall or pfSense

Note: pfSense is monowall with some notable enhancements (pf).

But yes, your machine should be plenty to run this setup.

Erik Thorsson · 02-11-2005, 01:36 PM

Thanks for the replies.

I set up pf last night and put the machine in place. Seems to work great.

Two things:

1. It doesn't automatically configure the default gateway, so I have to use '# route' to get it, and then set it in /etc/mygate.

2. When it DHCPs from Earthlink it grabs their nameservers and puts them in /etc/resolv.conf. I'm running named on this box as well, so I'd like it to keep itself as the sole nameserver. Is there any way to tell DHCP not to use the nameserver information from its lease? Seems like you can change /etc/resolv.conf on the fly in OpenBSD and the server will pick it up. It's not like this in Linux. You have to restart networking to get it to pick up changes in resolv.conf.

-E

sigsegv · 02-11-2005, 02:17 PM

man dhclient.conf(5)

Erik Thorsson · 02-11-2005, 03:27 PM

Done. Thanks for that.

Now...

If the world-facing interface is xl0, and the LAN interface is xl1, what pf.conf rdr statement would I need to port 80 requests from the outside world a server on the internal LAN? I read the pf manual (alright, I skimmed it) and found an example config in there that would supposedly do this. I put the line in my pf.conf file and reloaded the conf (pfctl -f /etc/pf.conf), but it's not working.

Here's my current pf.conf...

zephyr# cat pf.conf
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $

#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#

# macros
int_if = "xl1"
ext_if = "xl0"
wwwserv = "192.168.1.127"

tcp_services = "{ 22, 113, 80 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.1.0/24 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
# ADDED THE FOLLOWING LINE TO FORWARD WWW TRAFFIC TO INTERNAL SERVER
rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.127 \
port 80
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021

# filter rules
block all

pass quick on lo0 all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
zephyr#