Linuxathome.net - Linux news and help for home broadband internet users
 Home | Files | Case Mods | Reviews | Forum | Search | Links | RDF | Contact | Uptime | Server Info | Tracker
Sections

Installation Guide
Setting Up
Internet Sharing
Port Forwarding
Services Config
Installing Programs
Game Servers
Using IPTables
Useful Commands
Kernel Upgrading
System Recovery
Red Hat 7.2 Setup
OpenBSD Setup
BPA Login Setup
PPPoE Setup
Add New Hardware
Using PPTP VPN
VMware ESX Cmds
Our RC5 Team
Folding@Home
Help Support Us

 
Articles
Linux Security
NetStats FAQ
Linux KIS Trojan
CAT5/LAN Cables
Domain Names
Presario RH Install APC Debian DVD
 
Slashdot.org
  • 'Stack Clash' Linux Flaw Enables Root Access. Patch Now
  • Former Slashdot Contributor Jon Katz Believes He Can Talk To Animals
  • Phoronix Announces '2017 Linux Laptop Survey'
  • The People GoFundMe Leaves Behind
  • Sci-Hub Ordered To Pay $15 Million In Piracy Damages
  • FCC Grants OneWeb Approval To Launch Over 700 Satellites For 'Space Internet'
  • Obama Authorized a Secret Cyber Operation Against Russia, Says Report
  • 32TB of Windows 10 Internal Builds, Core Source Code Leak Online
  • 6 Female Founders Accuse VC Justin Caldbeck of Making Unwanted Advances
  • Tesla Is 'In Talks' To Build a Factory In China
  • 'Chiropractors Are Bullshit'
  • Texting While Driving Now Legal In Colorado -- In Some Cases
  • IT Services Company Wipro Forces 600 Employees To Work In Bed Bug Infested Office
  • WikiLeaks Doc Dump Reveals CIA Tools For Hacking Air-Gapped PCs
  • YouTube Claims 1.5 Billion Monthly Users
  •  
    Affiliates

    TweakTown.com
    ZGeek.com
    pebkac-consulting.com.au

     
    Webmail
      E-mail Address:

    Password:


     

      Guide To An OpenBSD Cable Router

      The following article / guide was written by Liam who is a Senior Administrator at www.secureteam.org, it is provided for those of you who want to take the step up from Linux and use a more secure OS in the BSD family.
     

      OpenBSD How-To Instructions

     

    Why OpenBSD?
    OpenBSD (unlike any other distribution) is designed purely around security. In fact, in 4 years, there hasn't been any remote hole in the default install. This is because it has a "Secure by Default" policy, which means novice users do not need to become security experts overnight or have to rush things.

    It's a free distribution based in Canada, which means it can integrate such things as cryptography etc.

    I was previously a Slackware Linux user, until I discovered OpenBSD and, it being the MOST secure operating system around, I decided to dedicate some time to it.

    I have to warn you, it's not easy, especially if you have very little Linux or Unix experience. Mostly little things like needing to learn vim and getting used to not having bash could upset the bandwagon, but all these problems can be fixed (I will show you how in this document) and, in this day and age where we have the resources that we do at our fingertips (like the Internet), problems and/or questions are shared throughout the world.

    My main reason for choosing OpenBSD over anything else is security. It comes with OpenSSH preinstalled (instead of telnet) and has integrated cryptography.

    I encourage you to give OpenBSD a go. Start with a book, or at the web site www.openlysecure.com and then refer back to this broadband setup guide.

    Welcome to the community.

    Liam Senior
    Administrator - Secureteam.org
    E-mail: liam@secureteam.org
    azel@efnet

    Setup
    Setting up an OpenBSD firewall is a straightforward process. I will assume that you have already installed OpenBSD 2.x and that you are comfortable with the UNIX environment. All you need to do is modify the relevant configuration files as described below and then reboot your firewall, upon doing so everything should connect and come up nicely.

    This will then be able to firewall and transparently share your cable modem, as well as provide a high degree of security to all client machines behind the firewall.

    For my setup, I used an OpenBSD 2.9 box, a Windows 2000 workstation, a 10/100 Switch (a hub would do the job though) and networking cable. The OpenBSD firewall will require two Network Interface Cards.

    The information contained herein is based upon a stock install of OpenBSD 2.9 running on an i386 machine. However, remember that the buck doesn't stop at the end of this document; you still need to be cautious and check for patches often. It's not hard to subscribe to an email service (such as a mailing list of some sort) that will keep you up to date and informed about what is happening in the world of security or Unix.

    However, enjoy and good luck.

    /etc/sysctl.conf
    There is actually only one change that needs to be made to the default /etc/sysctl.conf. Just uncomment the first line to allow the firewall to forward IP packets between networks.

    #	$OpenBSD: sysctl.conf,v 1.21 2000/10/23 17:15:47 deraadt Exp $
    #
    # This file contains a list of sysctl options the user wants set at
    # boot time.  See sysctl(3) and sysctl(8) for more information on
    # the many available variables.
    #
    net.inet.ip.forwarding=1   	# 1=Permit forwarding (routing) of packets
    #net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of packets
    #net.inet6.ip6.accept_rtadv=1	# 1=Permit IPv6 autoconf (forwarding must be 0)
    #net.inet.tcp.rfc1323=0	        # 0=disable TCP RFC1323 extensions (for if tcp is slow)
    #net.inet.esp.enable=1	        # 1=Enable the ESP IPSec protocol
    #net.inet.ah.enable=1   	# 1=Enable the AH IPSec protocol
    #ddb.panic=0		        # 0=Do not drop into ddb on a kernel panic
    #ddb.console=1	    		# 1=Permit entry of ddb from the console
    #fs.posix.setuid=0	    	# 0=Traditional BSD chown() semantics
    #vm.swapencrypt.enable=1  	# 1=Encrypt pages that go to swap
    #vfs.nfs.iothreads=4	        # number of nfsio kernel threads
    #net.inet.ip.mtudisc=1		# 1=enable tcp mtu discovery
    #machdep.allowaperture=2   	# See xf86(4)
    #machdep.apmwarn=10		# battery % when apm status messages enabled
    #machdep.apmhalt=0	     	# 1=powerdown hack, try if halt -p doesn't work
    #machdep.kbdreset=1		# permit console CTRL-ALT-DEL to do a nice halt

    /etc/rc.conf
    Turn on ipfilter and ipnat in /etc/rc.conf. You may also want to turn other services on or off to fit your installation. The rc.conf above will result in a very secure firewall since all unnecessary services are shut off. I have bound sshd to fxp0 (my internal network interface) in /etc/sshd_config to prevent attempted connections from the world. If you need to have some sort of remote administration, think about SSH. OpenBSD comes with a preinstalled version of OpenSSH, which looks and feels a lot like telnet, only it's encrypted.

    #!/bin/sh -
    #
    #	$OpenBSD: rc.conf,v 1.57 2001/04/19 04:00:15 deraadt Exp $
    
    # set these to "NO" to turn them off.  otherwise, they're used as flags
    routed_flags=NO		# for normal use: "-q"
    mrouted_flags=NO  	# for normal use: "", if activated
    		   	# be sure to enable multicast_router below.
    rarpd_flags=NO		# for normal use: "-a"
    bootparamd_flags=NO	# for normal use: ""
    rbootd_flags=NO		# for normal use: ""
    sshd_flags=""  		# for normal use: ""
    sendmail_flags="-q30m"	# for normal use: "-bd -q30m"
    smtpfwdd_flags=NO  	# for normal use: "", and no "-bd" above.
    named_flags=NO		# for normal use: ""
    rdate_flags=NO		# for normal use: name of RFC868 timeserver
    timed_flags=NO		# for normal use: ""
    ntpdate_flags=NO  	# for normal use: NTP server; run before ntpd starts
    photurisd_flags=NO	# for normal use: ""
    isakmpd_flags=NO  	# for normal use: ""
    mopd_flags=NO	        # for normal use: "-a"
    httpd_flags=NO		# for normal use: "" (or "-DSSL" after reading ssl(8))
    apmd_flags=NO	        # for normal use: ""
    dhcpd_flags=NO		# for normal use: "-q"
    rtadvd_flags=NO		# for normal use: list of interfaces
    			# be sure to set net.inet6.ip6.forwarding=1
    route6d_flags=NO  	# for normal use: ""
    			# be sure to set net.inet6.ip6.forwarding=1
    rtsold_flags=NO		# for normal use: interface
    			# be sure to set net.inet6.ip6.forwarding=0
    			# be sure to set net.inet6.ip6.accept_rtadv=1
    
    # Set to NO if ftpd is running out of inetd
    ftpd_flags=NO	        # for non-inetd use: "-D"
    
    # Set to NO if identd is running out of inetd
    identd_flags=NO		# for non-inetd use: "-b -u nobody -elo"
    
    # On some architectures, you must also disable console getty in /etc/ttys
    xdm_flags=NO  		# for normal use: ""
    
    # For enabling console mouse support (i386 architecture only)
    moused_flags=NO		# for ps/2 try: "-p /dev/psm0", serial: "-p /dev/cua00"
    
    # set the following to "YES" to turn them on
    rwhod=NO
    nfs_server=NO 		# see sysctl.conf for nfs client configuration
    lockd=NO
    gated=NO
    kerberos_server=NO	# kerberos server. run 'info kth-krb' for assistance.
    kerberos_slave=NO 	# kerberos slave server.
    amd=NO
    ipfilter=YES
    ipnat=YES	        # for "YES" ipfilter must also be "YES"
    portmap=NO		# almost always needed
    inetd=NO	        # almost always needed
    lpd=NO		    	# printing daemons
    check_quotas=YES  	# NO may be desirable in some YP environments
    ntpd=NO		     	# run ntpd if it exists
    afs=NO		    	# mount and run afs
    
    # Multicast routing configuration
    # Please look at /etc/netstart for a detailed description if you change these
    multicast_host=NO 	# Route all multicast packets to a single interface
    multicast_router=NO	# A multicast routing daemon will be run, e.g. mrouted
    
    # miscellaneous other flags
    # only used if the appropriate server is marked YES above
    gated_flags=
    ypserv_flags=			# E.g. -1 for YP v1, -d for DNS etc
    yppasswdd_flags=		# "-d /etc/yp" if passwd files are in /etc/yp
    nfsd_flags="-tun 4"		# Crank the 4 for a busy NFS fileserver
    amd_dir=/tmp_mnt		# AMD's mount directory
    amd_master=/etc/amd/master	# AMD 'master' map
    ipfilter_rules=/etc/ipf.rules	# Rules for IP packet filtering
    ipnat_rules=/etc/ipnat.rules	# Rules for Network Address Translation
    ipmon_flags=-Ds		# To disable logging, use ipmon_flags=NO
    syslogd_flags=		# add more flags, ie. "-u -a /chroot/dev/log"
    named_user=named	# Named should not run as root unless necessary
    named_chroot=/var/named	# Where to chroot named if not empty
    afs_mount_point=/afs	# Mountpoint for AFS
    afs_device=/dev/xfs0	# Device used by afsd
    afsd_flags=-z		# Flags passed to afsd
    shlib_dirs=		# extra directories for ldconfig
    
    local_rcconf="/etc/rc.conf.local"
    
    [ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line

    /etc/hostname.xxx
    The /etc/hostname.xxx files configure your network interfaces (at least 2 network cards are required in your firewall). In this example fxp0 is the NIC that is connected to the LAN and rl0 is connected to the cable modem. I chose the first available IP address in my subnet for fxp0 and used dhcp for rl0 and that results in a very simple file. Substitute *.fxp0 or *.rl0 for the proper notation for your NICs which can be obtained with the dmesg command.

    /etc/hostname.fxp0 - LAN Interface
    inet 192.168.0.1 255.255.255.0 NONE
    /etc/hostname.rl0 - Modem Interface
    dhcp

    /etc/dhclient.conf
    The /etc/dhclient.conf file configures your network interface that connects to your ISP. In this example rl0 is the NIC that is connected to the cable modem. Please remember that every ISP will have a different procedure for obtaining an IP address. In my example below, I will use the example that is most common upon my peers @Home cable Internet. Also remember to replace your interface "rl0" field with the correct ethernet adaptor for your firewall and also to place your correct hostname in the send host-name "coxxxxxxx-a" line.

    # dhclient.conf
    #
    # Configuration file for ISC dhclient (see 'man dhclient.conf')
    #
    interface "rl0" {
    send host-name "coxxxxxxx-a";
    }
    
    send dhcp-lease-time 3600;
    prepend domain-name-servers 127.0.0.1;
    request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers,
    host-name;
    require subnet-mask, domain-name-servers;

    /etc/ipf.rules
    You should probably check out more documentation of IPFilter, since it's so wonderfully and heavily documented. You'll be surprised how simple it is. If you read through my defined rules below you should get a fairly good sense of what is going on and how packets are being processed. To engage rule changes without rebooting, simply run "ipf -Fa -f /etc/ipf.rules".

    ##################################
    # /etc/ipf.rules
    # Modified by Liam S, OpenBSD 2.9
    # July 18, 2001
    ##################################
    
    
    ##################################
    # Start Ruleset
    ##################################
    
    #INTERNAL INTERFACE RULES
    
    # Loopback device
    pass out quick on lo0
    pass in quick on lo0
    
    # Internal interface
    pass in quick on fxp0
    pass out quick on fxp0
    
    # EXTERNAL INTERFACE RULES
    
    # Block frags
    block in quick on rl0 all with frags
    
    # Block tcp packets that are short
    block in quick on rl0 proto tcp all with short
    
    # Drop all source routed packets
    block in quick on rl0 all with opt lsrr
    block in quick on rl0 all with opt ssrr
    
    # Deny OS fingerprint attempts from NMAP
    block in log quick on rl0 proto tcp from any to any flags FUP
    
    #Enter open ports here
    # For ssh
    pass in log quick on rl0 from any to any port = 22
    #For FTP
    pass in log quick on rl0 from any to any port = 21
    
    # Block and specific ports (also logs)
    block in log quick on rl0 from any to any port = 23
    block in log quick on rl0 from any to any port = 25
    block in log quick on rl0 from any to any port = 53
    block in log quick on rl0 from any to any port = 80
    block in log quick on rl0 from any to any port = 111
    block in log quick on rl0 from any to any port = 443
    block in log quick on rl0 from any to any port = 515
    
    # Deny all inbound traffic by protocol and catch anything that falls through
    block in quick on rl0 from any to any
    block in quick on rl0 proto tcp from any to any
    block in quick on rl0 proto udp from any to any
    block in quick on rl0 proto icmp from any to any
    
    # Don't allow specific websites here
    #www.firewall.cx
    block out quick on rl0 from any to 216.239.132.52
    
    # Send out all data and all returns
    pass out quick on rl0 proto tcp from any to any flags S keep state
    pass out quick on rl0 proto udp from any to any keep state
    pass out quick on rl0 proto icmp from any to any keep state
    
    #################################
    # End Ruleset
    #################################

    /etc/ipnat.rules
    A packet sent off for the Internet (from the local network) is compared to the rules in /etc/ipnat.rules and the first matching rule is applied to that packet. The first rule allows efficient forwarding of TCP and UDP packets while the second rule allows forwarding for ICMP packets. The rdr (re-direct) rule is applied to packets that are incoming on the first specified interface (such as rl0). The packets are then redirected from the destination IP address, designated as rl0/32 here, to a host behind the OpenBSD box.

    # $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
    #
    # See /usr/share/ipf/nat.1 for examples.
    # edit the ipnat= line in /etc/rc.conf to enable NAT
    map rl0 192.168.0.0/24 -> rl0/32 portmap tcp/udp 10000:60000
    map rl0 192.168.0.0/24 -> rl0/32
    
    # Redirect traffic to a host behind the firewall
    # rdr rl0 rl0/32 port 21 -> 192.168.0.8 port 21
    
    # map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000

    You're now all finished getting your OpenBSD firewall ready to get online. Now just reboot the firewall and type "dhclient". This should be all you need to do to get it online.

    Configuring Clients
    A client is any workstation located behind your firewall that will connect to the Internet through the firewall (or use any of its services). Any Operating System that supports TCP/IP networking should be able to connect through this OpenBSD firewall. To manually configure clients you will need to supply the following information: the client IP address and netmask; the IP of your gateway; the IP address of your ISP's DNS server.

    IP Address and Netmask: The first IP address and netmask you need is on your firewall's LAN interface. You can set this to have an IP address of 192.168.0.1 (a non-routable address) and a Subnet mask of 255.255.255.0. This basically allows any machine on the Local Network to begin its IP with 192.168.0 and have a netmask of 255.255.255.0. Now you can begin choosing IPs for clients beginning with the address 192.168.0.2 and going up to 192.168.0.254 (not that you'd need 254 pcs).

    Gateway IP: This is just the IP address of your OpenBSD box's LAN interface (192.168.0.1). You need to set a gateway for your clients to connect to the world.

    DNS and Your ISP: Each machine will need to know the IP of your ISP's DNS server(s). In addition you will need to name each machine on your network "something.whatever". However, since you chose non-routable addresses you can pick any names you want and not worry, since it won't be using this feature.

    DHCP on the Local Network
    By using your firewall as a DHCP server you can automatically configure client machines for your Local Area Network. You must allow your dhcp server to listen only on your LAN interface.

    The real advantage of using DHCP is that workstation configuration is so easy. Any Operating System should be able to configure itself using DHCP. Most will default to using DHCP.

    Implementing the dhcp daemon by following these directions:

    • Activate the dhcpd in /etc/rc.conf file;
    • Edit the file /etc/dhcpd.conf file;
    • Edit the file /etc/dhcpd.interfaces file;
    • Reboot the server.

    Not hard at all.

    Changes to /etc/rc.conf
    Simply change these lines in /etc/rc.conf

    dhcpd_flags=NO	# for normal use: "-q"
    to
    dhcpd_flags="-q"	# for normal use: "-q

    /etc/dhcpd.conf
    All of the options in dhcpd.conf are pretty much self-explanatory. Please note that you are giving out the IP address of your ISP's DNS server to each client, so change these accordingly and also change the option domain-name to suit any host you like. I have also included an example on how to bind the same IP address to a specific MAC address (as shown with example "box1").

    #	$OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
    #
    # DHCP server options.
    # See dhcpd.conf(5) and dhcpd(8) for more information.
    #
    
    option domain-name "secureteam.org";
    option domain-name-servers 203.164.20.10;
    
    subnet 192.168.0.0 netmask 255.255.255.0 {
    	option routers 192.168.0.1;
    
    	range 192.168.0.2 192.168.0.254;
    
    	host box1 {
    		hardware ethernet 00:00:E8:77:12:09;
    		fixed-address 192.168.0.6;
    	}
    }

    /etc/dhcpd.interfaces
    This is the important file that binds dhcpd to a specific interface. Do the following to bind dhcpd to your LAN interface (if not you'll be trying to hand out IP addresses to half of the Internet).

    1. mv /etc/dhcpd.interfaces /etc/dhcpd.interfaces.bak
    2. echo fxp0 > /etc/dhcpd.interfaces

    Remember to substitute your Local Network interface for fxp0 in the /etc/dhcpd.interfaces file.

    Proudly Hosted By:
    Hosted by PEBKAC Consulting

    Please read our Legal Notice for information concerning our site and its content.
    All logos and trademarks in this site are property of their respective owner. All the rest © 2000 - 2016 by Linuxathome.net

    Reviews

    D-Link DI-704P
    VIA EPIA-M 9000
    Tux Applique
    Ricoh MP5125A
    AMD XP 2600+
    3DProphet 9000Pro
    Radeon 9700 Pro
    XTNDAccess IrDA
    Netgear FS-524s
    DSR2161 KVM
    Game TheaterXP & XPS-510 Speakers
    3D Prophet 4000XT
    AutoView 400
    Back-UPS CS 350
    Dual Neon Kit
    SwitchView KVM
    20x4 LCD Kit
    Window Kit

     
    Kuro5hin.org
    XML error: Mismatched tag at line 26.
     
    Google (Linux)
    Enter Keywords:

     
    Bash Jokes

    % \(-

    (-: Command not found.

     
    Virtualization, Virtual Machine & Virtual Server Consolidation - VMware

    The Community ENTerprise Operating System

    Get Slackware Linux

    Use OpenOffice.org

    Use Asterisk