Results 1 to 3 of 3

Thread: OpenBSD firewall/gateway

Hybrid View

  1. #1
    Administrator Advisor peter's Avatar
    Join Date
    Apr 2004

    OpenBSD firewall/gateway

    (Transferred from the wiki by Peter)

    OpenBSD Gateway Howto

    Credits go to the OpenBSD team for granting permission for duplication of the manuals and guides on the website. Thanks to GnuVince and Ashcrow for quick and accurate technical support on the pf.conf file. I originally wrote this paper for the IT department at my company I work for since any server needs to be well documented on at least how to get it up and going in case a drive needs to be dropped in, brand new, with no data backup available. So some points may not need to be made, but are. I omitted the how-to-use-vi section, what does ‘ls’ do, etc, etc…. Feel free to email me at :: for any questions or comments. You may freely distribute the information within, but if you rebrand and modify, let me know so any of the changes dont point back at me. On to the fun …….
    Table of contents
    1. Obtaining OpenBSD media
    2. Installing OpenBSD2.1 Prepareing the boot floppy
    2.2 Booting the floppy
    2.3 Creating BSD and swap partition(s)
    2.4 Verifying mount points and formatting partitions
    2.5 Setting up NIC adapter(s)
    2.6 Installation media
    2.7 Choosing installation packages and finishing the install.
    2.8 Timezone settings
    2.9 Finishing it all up
    3. Configuring OpenBSD
    3.1 /etc/sysctl.conf
    3.2 /etc/rc.conf
    3.3 /etc/nat.conf
    3.4 /etc/resolv.conf
    3.5 /etc/hostname.XxYyZz files
    3.6 /etc/pf.conf
    3.7 Starting the NAT service and firewall
    1. Obtaining OpenBSD
    The method that I used was the FTP floppy method. This entails going to and retrieving the boot disc floppy image, writing the image to a blank floppy and booting off the floppy to install via FTP.
    The other, and just as simple method is to use a CD-ROM. Both will do the job just as easily.
    2. Installing OpenBSD
    Since I used the FTP Floppy method, I will detail that. The slight variations are obvious and will be noted as I remember them.
    2.1 — Prepare the boot floppy
    Grab the floppy image and utility to write the image to a floppy from
    Floppy Image ( — The floppy disk image of the OpenBSD Installer
    FDImage ( — Writes the floppy image to a floppy disk.
    C:\fdimage floppy30.fs a:
    2.2 Booting the floppy
    After the boot image is written, you may boot the target machine off the floppy. The boot process is not fast. We are compressing a rather large amount of data onto a small space and thus the decompression may be cumbersome. But after the boot process starts, the speed is rather quick and responsive.
    When prompted for the install type,
    (I)nstall, (U)pgrade or (S)hell? i
    you most likely will want a fresh install — reslicing and reformatting.
    Press ‘I’ and hit enter.
    Welcome to the OpenBSD/i386 3.0 installation program.
    This program is designed to help you put OpenBSD on your disk in a simple and
    rational way.
    As with anything which modifies your disk’s contents, this program can cause
    SIGNIFICANT data loss, and you are advised to make sure your data is backed
    up before beginning the installation process.
    Default answers are displayed in brackets after the questions. You can hit
    Control-C at any time to quit, but if you do so at a prompt, you may have
    to hit return. Also, quitting in the middle of installation may leave your
    system in an inconsistent state. If you hit Control-C and restart the
    install, the install program will remember many of your old answers.
    You can run a shell command at any prompt via ‘!foo’
    or escape to a shell by simply typing ‘!’.
    Specify terminal type [vt220]:
    Hit enter, for the vt220 terminal mode
    The installation program needs to know which disk to consider the root disk.
    Note the unit number may be different than the unit number you used in the
    boot program (especially on a PC with multiple disk controllers).
    Available disks are:
    Which disk is the root disk? [sd0]
    Do you want to use the *entire* disk for OpenBSD? [no]
    Hit enter, to use sd0 as the root disk
    Choose yes for using all of the root disk.
    2.3 Creating BSD and swap partion(s)
    Inside the BIOS ‘A6′ (’OpenBSD’) partition you just created, there resides an
    OpenBSD partition table which defines how this BIOS partition is to be split
    up. This table declares the offsets and sizes of your / partition, your swap
    space, and any other partitions you might create. (NOTE: The OpenBSD disk
    label offsets are absolute, ie. relative to the start of the disk… NOT
    relative to the start of the BIOS ‘A6′ partition).
    disklabel: no disk label
    WARNING: Disk sd0 has no label. You will be creating a new one.
    If this disk is shared with other operating systems, those operating systems
    should have a BIOS partition entry that spans the space they occupy completely.
    For safety, also make sure all OpenBSD file systems are within the offset and
    size specified in the ‘A6′ BIOS partition table. (By default, the disklabel
    editor will try to enforce this). If you are unsure of how to use multiple
    partitions properly (ie. separating /, /usr, /tmp, /var, /usr/local, and other
    things) just split the space into a root and swap partition for now.

    1. using MBR partition 3: type A6 off 63 (0×3f) size 16450497 (0xfb03c1)

    Treating sectors 63-80041248 as the OpenBSD portion of the disk.
    You can use the ‘b’ command to change this.
    Initial label editor (enter ‘?’ for help at any prompt)
    > ?
    Here is the BSD version of fdisk. Here is a simple list of commands to use to get around in this tool.
    Available commands:
    p [unit] - print label.
    M - show entire OpenBSD man page for disklabel.
    e - edit drive parameters.
    a [part] - add new partition.
    b - set OpenBSD disk boundaries.
    c [part] - change partition size.
    d [part] - delete partition.
    g [d|b] - Use [d]isk or [b]ios geometry.
    m [part] - modify existing partition.
    n [part] - set the mount point for a partition.
    r - recalculate free space.
    u - undo last change.
    s [path] - save label to file.
    w - write label to disk.
    q - quit and save changes.
    x - exit without saving changes.
    X - toggle expert mode.
    ? [cmnd] - this message or command specific help.
    Numeric parameters may use suffixes to indicate units:
    ‘b’ for bytes, ‘c’ for cylinders, ‘k’ for kilobytes, ‘m’ for megabytes,
    ‘g’ for gigabytes or no suffix for sectors (usually 512 bytes).
    Non-sector units will be rounded to the nearest cylinder.
    Entering ‘?’ at most prompts will give you (simple) context sensitive help.
    I used the following list of commands to get the drive sliced properly — a root ( / ), swap, and var (/var) slices were used.
    d a
    d b
    d d
    d e
    a a
    for offset
    3903401 for size
    [4.2BSD] slice type
    / Mount point
    a b
    for offset
    256000 for size
    for swap
    a d
    for offset
    for size
    for BSD slice type
    /var for mount point
    This should have your slices setup. A p should correct any doubts.
    Type w and then q to write table and quit fdisk.
    2.4 Verifying mount points and formatting partitions
    Next, BSD will need to format and verify thje mount points of each partition.
    You will now have the opportunity to enter filesystem information for sd0.
    You will be prompted for the mount point (full path, including the prepending
    ‘/’ character) for each BSD partition on wd0. Enter “none” to skip a
    partition or “done” when you are finished.
    The following partitions will be used for the root filesystem and swap:
    sd0a /
    sd0b swap
    Mount point for wd0d (size=82152k) [/tmp, RET, none, or done]?
    Now you can select another disk to initialize. (Do not re-select a disk
    you have already entered information for). Available disks are:
    Which one? [done]
    You have configured the following devices and mount points:
    sd0a /
    sd0d /tmp
    sd0e /var
    [edit] ================================================

    The next step will overwrite any existing data on:
    sd0a sd0d sd0e
    Are you really sure that you’re ready to proceed? [n] y
    Creating filesystems…
    Warning: 64 sector(s) in last cylinder unallocated
    /dev/rsd0a: 164240 sectors in 163 cylinders of 16 tracks, 63 sectors
    80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)
    /dev/rsd0d: 164304 sectors in 163 cylinders of 16 tracks, 63 sectors
    80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)
    /dev/rsd0e: 164304 sectors in 163 cylinders of 16 tracks, 63 sectors
    80.2MB in 11 cyl groups (16 c/g, 7.88MB/g, 1920 i/g)
    Very self-explanatory, however as not very common, one issue I ran into was the mount point subroutine not terminating properly and requiring a done to get it to stop. As you can see above, once tell it the mount points are correct, you can continue on to the actual format of the partition. A few minutes will pass as it checks for bad blocks and formats.
    2.5 Setting up NIC adapter(s)
    Here we can setup any NIC adapters that may be already present. This is not mandatory at this point, and can be done later. It would be advisable however, to do it now if you are unconfortable using vi. Simply follow the instructions. First we need to enter in our hostname and domainname. In this case I used as our host/domain name.

  2. #2
    Administrator Advisor peter's Avatar
    Join Date
    Apr 2004
    You will now be given the opportunity to configure the network. This will be
    useful if you need to transfer the installation sets via FTP, HTTP, or NFS.
    Even if you choose not to transfer installation sets that way, this information
    will be preserved and copied into the new root filesystem.
    Configure the network [y]
    Enter system hostname (short form): [] sample5
    Enter DNS domain name: []
    If you have any devices being configured by a DHCP server
    it is recommended that you do not enter a default route or
    any name servers.
    Here we can now setup the IP and subnet of each adapter. Choose one adapter and follow the prompts and give it the appropriate information needed. To give a NIC adapter DHCP enter dhcp at the IP prompt.
    You may configure the following network interfaces (the interfaces
    marked with [X] have been successfully configured):
    [ ] ne3
    [ ] xl0
    [ ] ne4
    Configure which interface? (or, enter ‘done’) [ne3]
    IP address (or ‘dhcp’) ? []
    Symbolic (host) name? [sample5]
    Netmask ? []
    Your use of the network interface may require non-default
    media directives. The default media is:
    media: Ethernet autoselect (100baseTX full-duplex)
    This is a list of supported media:
    media autoselect
    media 100baseTX mediaopt full-duplex
    media 100baseTX
    media 10baseT mediaopt full-duplex
    media 10baseT
    If the default is not satisfactory, and you wish to use another
    media, copy that line from above (e.g. “media 100baseTX”)
    Media directives? []
    After all of the NIC adapters have been configured, tell it done and you will drop to the next section
    You may configure the following network interfaces (the interfaces
    marked with [X] have been successfully configured):
    [X] ne3
    [X] xl0
    [X] ne4
    Configure which interface? (or, enter ‘done’) [done]
    2.6 Installation media
    This section will allow you to tell the OpenBSD installer where to get the install packages. We also assign the root password in this part too (some packages need root proveldges to run). There is also the option for installing X, tell it no. We do not require that at all. Providing there is a need, it can be installed later.
    You will now be given the opportunity to escape to the command shell to do
    any additional network configuration you may need. This may include adding
    additional routes, if needed. In addition, you might take this opportunity
    to redo the default route in the event that it failed above.
    Escape to shell? [n]
    /dev/wd0a on /mnt type ffs (rw, asynchronous, local)
    /dev/wd0d on /mnt/tmp type ffs (rw, asynchronous, local)
    /dev/wd0e on /mnt/var type ffs (rw, asynchronous, local)
    /dev/wd0g on /mnt/usr type ffs (rw, asynchronous, local)
    /dev/wd0h on /mnt/home type ffs (rw, asynchronous, local)
    We must give the root account a password here. To keep things simple, unless otherwise stated use the administrative account that is used on the other systems to keep uniformity.
    Please enter the initial password that the root account will have.
    Password (will not echo):
    Password (again):
    Here is the X Window GUI option. We do not need this at this time.
    Do you expect to run the X Window System? [y]
    It is now time to extract the installation sets onto the hard disk. Make sure
    the sets are either on a local device (i.e. tape, CD-ROM) or on a network
    server. You will have the chance to repeat this step or to extract sets from
    several places, so you don’t have to try to load all the sets in one try and
    can recover from some errors.
    Install from (f)tp, (h)ttp, (t)ape, (C)D-ROM, (N)FS or local (d)isk?
    After selecting the media it will either move to the next section, or as in our case, go to the ftp selection screen. There were no screenshots available but the process is simple
    [none] proxy server
    [n] active FTP
    [y] List FTP servers
    As the list of FTP servers pop up, press space to paginate and note some FTP servers that are close by. As of the time of my installation 63 (Chicago) and 75 (Madison) were the two of the clsoest fastest servers.
    [#of choice] selects the FTP
    [enter] accepts FTP
    [enter] accepts default FTP directory path (%99.9999 good idea)
    [enter] Anonymous FTP
    2.7 Choosing installation packages and finishing the install.
    Now we must select the packages. The packages are as follows :
    You will now be asked for files to extract. In addition to the
    files listed in the selector you may enter any file located in
    /mnt2//3.0/i386. You can also enter ‘all’ to install all the standard
    sets, or ‘list’ to list the files available in /mnt2//3.0/i386.
    When you are done selecting files, enter ‘done’.
    Some of these sets are required for your install and some are optional –
    You will want at least the base and bsd sets.
    Consult the installation notes if you are not sure which sets are required!
    The following sets are available for extraction.
    Enter filename, `list’, `all’, or `done’.
    You may de-select a set by prepending a ‘-’ to its name.
    [X] base30.tgz
    [X] etc30.tgz
    [X] misc30.tgz
    [X] comp30.tgz
    [X] man30.tgz
    [ ] game30.tgz
    [ ] xbase30.tgz
    [ ] xshare30.tgz
    [ ] xfont30.tgz
    [ ] xserv30.tgz
    [X] bsd
    File name? []
    We need to tell it what packages to use. Select jsut the packages marked above.
    base30.tgz Has the base OpenBSD system Required
    etc30.tgz Has all the files in /etc Required Has the compiler and its tools, libs. Recommended
    man30.tgz Holds man pages Recommended
    misc30.tgz Holds misc info, setup docs Optional
    game30.tgz Has the games for OpenBSD Optional
    xbase30.tgz Has the base install for X11 Optional
    xfont30.tgz Holds X11’s font server and fonts Optional
    xserv30.tgz Has X11’s X servers Optional
    xshare30.tgz Has manpages, locale settings, includes, etc for X Optional
    bsd This is the Kernel. Required
    To add a package, type +packagename* , and conversely, to remove a selected package type -packagename*
    [done] To go download packages
    100% |************************************************* *| 21192 KB 00:00 ETA
    100% |************************************************* *| 987 KB 00:00 ETA
    100% |************************************************* *| 4957 KB 00:00 ETA
    100% |************************************************* *| 3053 KB 00:00 ETA
    100% |************************************************* *| 1644 KB 00:00 ETA
    100% |************************************************* *| 14406 KB 00:00 ETA
    Extract more sets? [n]
    2.8 Timezone settings
    Now we get to down and dirty with the timezone settings.
    Copying fstab, hostname.fxp0, hosts, myname, mygate, resolv.conf, …done.

    What timezone are you in? [`?’ for list] [GMT] ?
    Africa/ Chile/ GB-Eire Israel NZ-CHAT Turkey
    America/ Cuba GMT Jamaica Navajo UCT
    Antarctica/ EET GMT+0 Japan PRC US/
    Arctic/ EST GMT-0 Kwajalein PST8PDT UTC
    Asia/ EST5EDT GMT0 Libya Pacific/ Universal
    Atlantic/ Egypt Greenwich MET Poland W-SU
    Australia/ Eire HST MST Portugal WET
    Brazil/ Etc/ Hongkong MST7MDT ROC Zulu
    CET Europe/ Iceland Mexico/ ROK posixrules
    CST6CDT Factory Indian/ Mideast/ Singapore
    Canada/ GB Iran NZ SystemV/
    We want to use CST6CDT
    What timezone are you in? [`?’ for list] [GMT] CST6CDT
    You have selected timezone “CST6CDT”.
    Installing timezone link.
    2.9 Finishing it all up
    Now the system is getting setup with all of the /dev entries and such. That is pretty much the last thing that is done to install OpenBSD.
    Making all device nodes (by running /dev/MAKEDEV all) …… done.
    Installing boot block…
    boot: /mnt/boot
    proto: /usr/mdec/biosboot
    device: /dev/rwd0c
    /usr/mdec/biosboot: entry point 0
    proto bootblock size 512
    room for 12 filesystem blocks at 0×16f
    Will load 7 blocks of size 8192 each.
    Using disk geometry of 63 sectors and 255 heads.
    0: 20 @(0 108 44) (6847-6866)
    1: 63 @(0 109 1) (6867-6929)
    2: 13 @(0 110 1) (6930-6942)
    3: 5 @(0 9 59) (625-629)
    4: 11 @(0 10 1) (630-640)
    /mnt/boot: 5 entries total
    using MBR partition 3: type 166 (0xa6) offset 63 (0×3f)
    Enabling machdep.allowaperture. Read xf86(4) for more information.
    Unmounting filesystems… /mnt/home /mnt/usr /mnt/var /mnt/tmp /mnt … Done.
    CONGRATULATIONS! You have successfully installed OpenBSD! To boot the
    installed system, enter halt at the command prompt. Once the system has
    halted, reset the machine and boot from the disk.
    Now that the system is all setup, remove the CDROM or boot floppy and type :

    1. reboot

    And the system will reboot.

  3. #3
    Administrator Advisor peter's Avatar
    Join Date
    Apr 2004
    Section 3 — Configuring OpenBSD
    3.1 /etc/sysctl.conf
    This file controls the some kernel options. We need to uncomment a particular line:

    1. net.inet.ip.forwarding=1

    Now we have IP forwarding enabled the next time we reboot.
    3.2 /etc/rc.conf
    This file handles the runlevel controls. We need to enable pf , the firewall/port forwarding application. We do this by changing a particular line:
    to (and note case sensitivity again)
    Save and exit. Now pf will start on every boot, without any intervention.
    3.3 /etc/nat.conf
    This is the NAT rule file. The NAT (Network Address Translation) table gets built here.
    A sample file will be as such :

    1. Declare some variables for ease of use


    1. Allow LAN to talk to SBC router

    nat on ne4 from any to -> $SBC

    1. Set basic NAT to occur on MCLeoud DSL line.

    nat on $MCLEOUD from $LAN to any -> $MCLEOUD
    rdr on ne3 proto tcp from any to port 22 -> port 22
    3.4 /etc/resolv.conf
    This file holds the information for your network in regards to DNS resolution A simple /etc/resolv.conf file will have just two or three lines, one for the search order and one or two for nameservers. Take a look at the example file, the one I used when setting up the gateway initially:
    search #Our domain
    nameserver #SBC Primary DNS
    nameserver #SBC Secondary DNS
    nameserver #SBC Router (for backup reasons)
    nameserver #McCleoud Router (for backup reasons)
    3.5 /etc/hostname.XxYyZz files
    These files are the network settings for our NIC adapters. Each file will be called hostname.. For example if you have a ne3 NIC device, the file will be /etc/hostname.ne3. Each file will have one line telling ifconfig how to bring your ethernet card up during boot.
    A simple /etc/hostname file will be as follows
    inet NONE
    The format is essentially as follows:
    inet Type of driver to use IP address of adpater Subnetmask of adapter
    NONE Broadcast settings
    In this example, the NIC adapter will be set to Simple, eh?
    3.6 /etc/pf.conf
    This is the firewall script that will allow, block, and log any packet that you wish. It can be by IP, packet type (ICMP, UDP, TCP), port, or TCP request type (ACK, SYN, etc). Here is the firewall script that I currently have enabled.

    1. Setup a variable for who IS allowed to go online


    1. MAPQUEST=”{,,,,64.12.1


    1. Default Rules

    pass out quick on $LAN all
    pass in quick on $LAN from any to
    pass in quick on $LAN from $FullInternetIPs to any
    pass in quick on $LAN from any to $SBC
    pass in quick on $LAN from any to $DNS
    pass in quick on $LAN from any to $MAPBLAST
    pass in quick on $LAN from any to $LONG_DISTANCE
    pass in quick on ne3 proto tcp from any to any port 22
    block in log on $LAN all
    3.7 Starting the NAT service and firewall
    At the command line typ the following commands :
    pfctl -R /etc/pf.conf #Adds firewall rules
    pfctl -N /etc/nat.conf #Adds NAT rules
    pfctl -e #Starts pf
    Providing that there were no errors in the .conf files, the programs will start quietly and return back to the command prompt. If you see errors, it will tell you the .conf file that has the error. Then you must correct the .conf file and reload that file into pf, and restart pf.
    After pf has successfully started you can go to a workstation, make sure that the Default Gateway and DNS Server are set to the LAN port of sample5. Then make usre that there are no proxy settings and the MS-Proxy is off. You, should be able to browse outside (providing you didnt forbid that in your NAT/firewall rules) and ping outside the LAN.

Similar Threads

  1. Setting up an old box as Gateway/Firewall
    By trickster in forum Linux - General Topics
    Replies: 10
    Last Post: 08-27-2002, 07:29 PM
  2. OpenBSD gateway
    By Mor_gath in forum BSD
    Replies: 10
    Last Post: 08-20-2002, 09:49 PM
  3. OpenBSD Gateway Installation Guide
    By Schotty in forum Linux - General Topics
    Replies: 2
    Last Post: 06-20-2002, 03:08 PM
  4. OpenBSD Firewall logging
    By Schotty in forum BSD
    Replies: 2
    Last Post: 04-30-2002, 11:34 AM
  5. Output of a nmap of my OpenBSD firewall
    By in forum General Chat
    Replies: 8
    Last Post: 04-16-2002, 03:34 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts