|
Why OpenBSD?
OpenBSD (unlike any other distribution) is designed purely around
security. In fact, in 4 years, there hasn't been any remote hole
in the default install. This is because it has a "Secure by Default"
policy, which means novice users do not need to become security
experts overnight or have to rush things.
It's a free
distribution based in Canada, which means it can integrate such
things as cryptography etc.
I was previously
a Slackware Linux user, until I discovered OpenBSD and, it being
the MOST secure operating system around, I decided to dedicate some
time to it.
I have to warn
you, it's not easy, especially if you have very little Linux or
Unix experience. Mostly little things like needing to learn vim
and getting used to not having bash could upset the bandwagon, but
all these problems can be fixed (I will show you how in this document)
and, in this day and age where we have the resources that we do
at our fingertips (like the Internet), problems and/or questions
are shared throughout the world.
My main reason
for choosing OpenBSD over anything else is security. It comes with
OpenSSH preinstalled (instead of telnet) and has integrated cryptography.
I encourage
you to give OpenBSD a go. Start with a book, or at the web site
www.openlysecure.com
and then refer back to this broadband setup guide.
Welcome to
the community.
Liam Senior
Administrator - Secureteam.org
E-mail: liam@secureteam.org
azel@efnet
Setup
Setting up
an OpenBSD firewall is a straightforward process. I will assume
that you have already installed OpenBSD 2.x and that you are comfortable
with the UNIX environment. All you need to do is modify the relevant
configuration files as described below and then reboot your firewall,
upon doing so everything should connect and come up nicely.
This will then
be able to firewall and transparently share your cable modem, as
well as provide a high degree of security to all client machines
behind the firewall.
For my setup,
I used an OpenBSD 2.9 box, a Windows 2000 workstation, a 10/100
Switch (a hub would do the job though) and networking cable. The
OpenBSD firewall will require two Network Interface Cards.
The information
contained herein is based upon a stock install of OpenBSD 2.9 running
on an i386 machine. However, remember that the buck doesn't stop
at the end of this document; you still need to be cautious and check
for patches often. It's not hard to subscribe to an email service
(such as a mailing list of some sort) that will keep you up to date
and informed about what is happening in the world of security or
Unix.
However, enjoy
and good luck.
/etc/sysctl.conf
There is actually
only one change that needs to be made to the default /etc/sysctl.conf.
Just uncomment the first line to allow the firewall to forward IP
packets between networks.
# $OpenBSD: sysctl.conf,v 1.21 2000/10/23 17:15:47 deraadt Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
#net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 extensions (for if tcp is slow)
#net.inet.esp.enable=1 # 1=Enable the ESP IPSec protocol
#net.inet.ah.enable=1 # 1=Enable the AH IPSec protocol
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap
#vfs.nfs.iothreads=4 # number of nfsio kernel threads
#net.inet.ip.mtudisc=1 # 1=enable tcp mtu discovery
#machdep.allowaperture=2 # See xf86(4)
#machdep.apmwarn=10 # battery % when apm status messages enabled
#machdep.apmhalt=0 # 1=powerdown hack, try if halt -p doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
/etc/rc.conf
Turn on ipfilter
and ipnat in /etc/rc.conf.
You may also want to turn other services on or off to fit your installation.
The rc.conf above
will result in a very secure firewall since all unnecessary services
are shut off. I have bound sshd to fxp0 (my internal network interface)
in /etc/sshd_config
to prevent attempted connections from the world. If you need to
have some sort of remote administration, think about SSH. OpenBSD
comes with a preinstalled version of OpenSSH, which looks and feels
a lot like telnet, only it's encrypted.
#!/bin/sh -
#
# $OpenBSD: rc.conf,v 1.57 2001/04/19 04:00:15 deraadt Exp $
# set these to "NO" to turn them off. otherwise, they're used as flags
routed_flags=NO # for normal use: "-q"
mrouted_flags=NO # for normal use: "", if activated
# be sure to enable multicast_router below.
rarpd_flags=NO # for normal use: "-a"
bootparamd_flags=NO # for normal use: ""
rbootd_flags=NO # for normal use: ""
sshd_flags="" # for normal use: ""
sendmail_flags="-q30m" # for normal use: "-bd -q30m"
smtpfwdd_flags=NO # for normal use: "", and no "-bd" above.
named_flags=NO # for normal use: ""
rdate_flags=NO # for normal use: name of RFC868 timeserver
timed_flags=NO # for normal use: ""
ntpdate_flags=NO # for normal use: NTP server; run before ntpd starts
photurisd_flags=NO # for normal use: ""
isakmpd_flags=NO # for normal use: ""
mopd_flags=NO # for normal use: "-a"
httpd_flags=NO # for normal use: "" (or "-DSSL" after reading ssl(8))
apmd_flags=NO # for normal use: ""
dhcpd_flags=NO # for normal use: "-q"
rtadvd_flags=NO # for normal use: list of interfaces
# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO # for normal use: ""
# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO # for normal use: interface
# be sure to set net.inet6.ip6.forwarding=0
# be sure to set net.inet6.ip6.accept_rtadv=1
# Set to NO if ftpd is running out of inetd
ftpd_flags=NO # for non-inetd use: "-D"
# Set to NO if identd is running out of inetd
identd_flags=NO # for non-inetd use: "-b -u nobody -elo"
# On some architectures, you must also disable console getty in /etc/ttys
xdm_flags=NO # for normal use: ""
# For enabling console mouse support (i386 architecture only)
moused_flags=NO # for ps/2 try: "-p /dev/psm0", serial: "-p /dev/cua00"
# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO # see sysctl.conf for nfs client configuration
lockd=NO
gated=NO
kerberos_server=NO # kerberos server. run 'info kth-krb' for assistance.
kerberos_slave=NO # kerberos slave server.
amd=NO
ipfilter=YES
ipnat=YES # for "YES" ipfilter must also be "YES"
portmap=NO # almost always needed
inetd=NO # almost always needed
lpd=NO # printing daemons
check_quotas=YES # NO may be desirable in some YP environments
ntpd=NO # run ntpd if it exists
afs=NO # mount and run afs
# Multicast routing configuration
# Please look at /etc/netstart for a detailed description if you change these
multicast_host=NO # Route all multicast packets to a single interface
multicast_router=NO # A multicast routing daemon will be run, e.g. mrouted
# miscellaneous other flags
# only used if the appropriate server is marked YES above
gated_flags=
ypserv_flags= # E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags= # "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt # AMD's mount directory
amd_master=/etc/amd/master # AMD 'master' map
ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation
ipmon_flags=-Ds # To disable logging, use ipmon_flags=NO
syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
named_user=named # Named should not run as root unless necessary
named_chroot=/var/named # Where to chroot named if not empty
afs_mount_point=/afs # Mountpoint for AFS
afs_device=/dev/xfs0 # Device used by afsd
afsd_flags=-z # Flags passed to afsd
shlib_dirs= # extra directories for ldconfig
local_rcconf="/etc/rc.conf.local"
[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line
/etc/hostname.xxx
The /etc/hostname.xxx
files configure your network interfaces (at least 2 network cards
are required in your firewall). In this example fxp0 is the NIC
that is connected to the LAN and rl0 is connected to the cable modem.
I chose the first available IP address in my subnet for fxp0 and
used dhcp for rl0 and that results in a very simple file. Substitute
*.fxp0 or *.rl0
for the proper notation for your NICs which can be obtained with
the dmesg command.
/etc/hostname.fxp0 - LAN Interface
inet 192.168.0.1 255.255.255.0 NONE
/etc/hostname.rl0 - Modem Interface
dhcp
/etc/dhclient.conf
The /etc/dhclient.conf
file configures your network interface that connects to your ISP.
In this example rl0 is the NIC that is connected to the cable modem.
Please remember that every ISP will have a different procedure for
obtaining an IP address. In my example below, I will use the example
that is most common upon my peers @Home cable Internet. Also remember
to replace your interface "rl0" field with the correct ethernet
adaptor for your firewall and also to place your correct hostname
in the send host-name "coxxxxxxx-a" line.
# dhclient.conf
#
# Configuration file for ISC dhclient (see 'man dhclient.conf')
#
interface "rl0" {
send host-name "coxxxxxxx-a";
}
send dhcp-lease-time 3600;
prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers,
host-name;
require subnet-mask, domain-name-servers;
/etc/ipf.rules
You should
probably check out more documentation of IPFilter, since it's so
wonderfully and heavily documented. You'll be surprised how simple
it is. If you read through my defined rules below you should get
a fairly good sense of what is going on and how packets are being
processed. To engage rule changes without rebooting, simply run
"ipf -Fa -f /etc/ipf.rules".
##################################
# /etc/ipf.rules
# Modified by Liam S, OpenBSD 2.9
# July 18, 2001
##################################
##################################
# Start Ruleset
##################################
#INTERNAL INTERFACE RULES
# Loopback device
pass out quick on lo0
pass in quick on lo0
# Internal interface
pass in quick on fxp0
pass out quick on fxp0
# EXTERNAL INTERFACE RULES
# Block frags
block in quick on rl0 all with frags
# Block tcp packets that are short
block in quick on rl0 proto tcp all with short
# Drop all source routed packets
block in quick on rl0 all with opt lsrr
block in quick on rl0 all with opt ssrr
# Deny OS fingerprint attempts from NMAP
block in log quick on rl0 proto tcp from any to any flags FUP
#Enter open ports here
# For ssh
pass in log quick on rl0 from any to any port = 22
#For FTP
pass in log quick on rl0 from any to any port = 21
# Block and specific ports (also logs)
block in log quick on rl0 from any to any port = 23
block in log quick on rl0 from any to any port = 25
block in log quick on rl0 from any to any port = 53
block in log quick on rl0 from any to any port = 80
block in log quick on rl0 from any to any port = 111
block in log quick on rl0 from any to any port = 443
block in log quick on rl0 from any to any port = 515
# Deny all inbound traffic by protocol and catch anything that falls through
block in quick on rl0 from any to any
block in quick on rl0 proto tcp from any to any
block in quick on rl0 proto udp from any to any
block in quick on rl0 proto icmp from any to any
# Don't allow specific websites here
#www.firewall.cx
block out quick on rl0 from any to 216.239.132.52
# Send out all data and all returns
pass out quick on rl0 proto tcp from any to any flags S keep state
pass out quick on rl0 proto udp from any to any keep state
pass out quick on rl0 proto icmp from any to any keep state
#################################
# End Ruleset
#################################
/etc/ipnat.rules
A packet sent
off for the Internet (from the local network) is compared to the
rules in /etc/ipnat.rules
and the first matching rule is applied to that packet. The first
rule allows efficient forwarding of TCP and UDP packets while the
second rule allows forwarding for ICMP packets. The rdr (re-direct)
rule is applied to packets that are incoming on the first specified
interface (such as rl0). The packets are then redirected from the
destination IP address, designated as rl0/32 here, to a host behind
the OpenBSD box.
# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable NAT
map rl0 192.168.0.0/24 -> rl0/32 portmap tcp/udp 10000:60000
map rl0 192.168.0.0/24 -> rl0/32
# Redirect traffic to a host behind the firewall
# rdr rl0 rl0/32 port 21 -> 192.168.0.8 port 21
# map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
You're now
all finished getting your OpenBSD firewall ready to get online.
Now just reboot the firewall and type "dhclient".
This should be all you need to do to get it online.
Configuring
Clients
A client is
any workstation located behind your firewall that will connect to
the Internet through the firewall (or use any of its services).
Any Operating System that supports TCP/IP networking should be able
to connect through this OpenBSD firewall. To manually configure
clients you will need to supply the following information: the client
IP address and netmask; the IP of your gateway; the IP address of
your ISP's DNS server.
IP Address
and Netmask: The first IP address and netmask you need is on
your firewall's LAN interface. You can set this to have an IP address
of 192.168.0.1 (a non-routable address) and a Subnet mask of 255.255.255.0.
This basically allows any machine on the Local Network to begin
its IP with 192.168.0 and have a netmask of 255.255.255.0. Now you
can begin choosing IPs for clients beginning with the address 192.168.0.2
and going up to 192.168.0.254 (not that you'd need 254 pcs).
Gateway
IP: This is just the IP address of your OpenBSD box's LAN interface
(192.168.0.1). You need to set a gateway for your clients to connect
to the world.
DNS and
Your ISP: Each machine will need to know the IP of your ISP's
DNS server(s). In addition you will need to name each machine on
your network "something.whatever". However, since you chose non-routable
addresses you can pick any names you want and not worry, since it
won't be using this feature.
DHCP on
the Local Network
By using your
firewall as a DHCP server you can automatically configure client
machines for your Local Area Network. You must allow your dhcp server
to listen only on your LAN interface.
The real advantage
of using DHCP is that workstation configuration is so easy. Any
Operating System should be able to configure itself using DHCP.
Most will default to using DHCP.
Implementing
the dhcp daemon by following these directions:
- Activate
the dhcpd in /etc/rc.conf
file;
- Edit the
file /etc/dhcpd.conf
file;
- Edit the
file /etc/dhcpd.interfaces
file;
- Reboot the
server.
Not hard at
all.
Changes
to /etc/rc.conf
Simply change
these lines in /etc/rc.conf
dhcpd_flags=NO # for normal use: "-q"
to
dhcpd_flags="-q" # for normal use: "-q
/etc/dhcpd.conf
All of the
options in dhcpd.conf are pretty much self-explanatory. Please note
that you are giving out the IP address of your ISP's DNS server
to each client, so change these accordingly and also change the
option domain-name to suit any host you like. I have also included
an example on how to bind the same IP address to a specific MAC
address (as shown with example "box1").
# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
option domain-name "secureteam.org";
option domain-name-servers 203.164.20.10;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
range 192.168.0.2 192.168.0.254;
host box1 {
hardware ethernet 00:00:E8:77:12:09;
fixed-address 192.168.0.6;
}
}
/etc/dhcpd.interfaces
This is the
important file that binds dhcpd to a specific interface. Do the
following to bind dhcpd to your LAN interface (if not you'll be
trying to hand out IP addresses to half of the Internet).
- mv
/etc/dhcpd.interfaces /etc/dhcpd.interfaces.bak
- echo
fxp0 > /etc/dhcpd.interfaces
Remember to
substitute your Local Network interface for fxp0
in the /etc/dhcpd.interfaces
file.
|
Linuxathome.net
- Linux news and help for home broadband internet users
