Friday, January 12, 2007

Setting up OpenBSD as a Gateway/Firewall

Today I setup and tested my first OpenBSD firewall/gateway. I was really fun. Before today I had completed bits and pieces of the setup but not the entire process.
These where the steps I took:

# 1. Install:

Partitions =
Filesystem Size Mounted on
/dev/wd0a 150.1M /
/dev/wd0b 383.9M swap
/dev/wd0d 511.9M /tmp
/dev/wd0e 99.9M /var
/dev/wd0f 5120.2M /usr
/dev/wd0g 2048.0M /home

Sets =
bsd - This is the Kernel. Required
base40.tgz - Contains the base OpenBSD system
etc40.tgz - Contains all the files in /etc

# 2. Filtering and Firewalling OpenBSD:

First I Prepared pf: by starting it in rc.conf.local. (I will need to reboot for this to take effect)
# echo "#Start PF" >> /etc/rc.conf.local
# echo pf=YES >> /etc/rc.conf.local

Now I need to configure pf.conf:
# vi /etc/pf.conf

If you need help creating a pf ruleset please have a look at the following: PF User's Guide, pf(4), pfctl(8), pf.conf(5), pf.os(5), pflog(4), pfsync(4), altq(9).

# 3. Setting up your OpenBSD box as a Gateway
Allow IP forwarding by adding this line to /etc/sysctl.conf configuration file:
# echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf

Now modify the routes on the other hosts on both sides.
Routes can be controlled with routed(8) or OpenBGPD, in the base OpenBSD install.

# 4. DHCP Server

# Configuring the DHCP server, dhcpd
# echo "#Start dhcpd" >> /etc/rc.conf.local
# echo 'dhcpd_flags=""' >> /etc/rc.conf.local

# Put the interfaces that you want dhcpd to listen on in /etc/dhcpd.interfaces:
# echo rl1 > /etc/dhcpd.interfaces
# Then, edit /etc/dhcpd.conf
# vi /etc/dhcpd.conf

# 5. Configuration:

Su'd to root, create /etc/profile and add the content below.
# Configuring profiles:
# echo "alias su='su -l'" > /etc/profile
# echo "alias rm='rm -P'" >> /etc/profile
# echo 'if [ "$USER" = root ]; then' >> /etc/profile
# echo 'PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin' >> /etc/profile
# echo 'PS1="\`hostname -s\`:\`pwd\`# "' >> /etc/profile
# echo 'else' >> /etc/profile
# echo 'PATH=/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.' >> /etc/profile
# echo 'PS1="\`hostname -s\`:\`pwd\`$ "' >> /etc/profile
# echo 'fi' >> /etc/profile

Then I rebooted the system, so that all of the above could take effect. I attached a couple of nodes to the switch, which worked perfectly.
Now I am testing the setup. So far everything is working well :)

I'm not sure how I went, I think I did ok for a first try. If anyone has any suggestions I would be more than willing to hear them. Thank you!


Anonymous said...


I am about to use openbsd as router, too but using a different routing mechanism (BGP) since it will be an edge router.

Have you test how many packets per seconds your router is able to process? Have you done some "stresstests"
I have read that openbsd´s TCP Stack is not that fast compared to freebsd or linux.