Configure OpenBSD as a routing firewall for a VLAN


In order to firewall your VLAN using a routing firewall, you'll need to first get a subnet configured by the NOC to run all of your VLAN traffic through two NAMs. You'll connect both NAMs to the routing firewall. One will be the external interface and will have a new subnet and subnet mask. The other will be the internal interface and will be configured as the gateway for your current subnet.

The following section assumes the following:

  1. The public side of your firewall sits on subnet 169.237.efg.0/24 and the mask for that subnet is 255.255.255.0.
  2. The NIC on the public side of the firewall will have the ip address 169.237.efg.hij
  3. The up-level router in subnet 169.237.efg.0 has IP address 169.237.efg.klm.
  4. The clients on the private side of your subnet use 169.237.abc.254 as their gateway.
  5. The NICs on your firewall are ext0 and int1. Type /sbin/ifconfig -a to find out their real names.

If you're having trouble figuring out which phyical port on your firewall matches which logical port name from the ipconfig command, try this:

Fill in the following table to use your own network values in the remainder of these instructions. The NOC will have sent you some information for your "DMZ" VLAN. We'll use those values here.

 

  DMZ VLAN Name:  
  DMZ Subnet:  
  DMZ Gateway:  
  DMZ External Firewall Interface:  
  DMZ Subnet Mask:  
 

  VLAN Subnet Mask:  
  VLAN Gateway:  
  External (public) NIC device name:  
  Internal (private) NIC device name:  
   
 

# Delete existing NIC configuration

  /sbin/ifconfig ext0 delete

# If you configured the second NIC type:

  /sbin/ifconfig int1 delete

# This is the IP in the new subnet NOC gave you:
# sets up:   ifconfig ext0 inet 169.237.efg.hij netmask 255.255.255.def description "external-port"

  /bin/echo 'inet 169.237.efg.hij 255.255.255.def NONE description external-port' > /etc/hostname.ext0

# This is in your current subnet. This address will be the gateway for your clients:
# sets up:   ifconfig int1 inet 54.224.78.254 netmask 255.255.255.0 description "internal-port"

  /bin/echo 'inet 54.224.78.254 255.255.255.0 NONE description internal-port' > /etc/hostname.int1

# This is the gateway for your OpenBSD router. It's a NOC router on the same subnet as ext0's ip address.

  /bin/echo '169.237.efg.klm' > /etc/mygate

# Enable ip forwarding. Edit /etc/sysctl.conf and uncomment (remove the #) from the line that reads:   #net.inet.ip.forwarding=1
# or use the following command to append the line to /etc/sysctl.conf

  /bin/echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

# After rebooting your computer will begin using the IP addresses configured above.

# To avoid conflicting addresses you should either turn off other computers with these IP addresses or you should unplug this firewall from the network

# reboot

  /sbin/shutdown -r now Rebooting...


Multi-VLAN configuration

If you then want to support multiple VLANs on the same firewall using VLAN tagging, the modification to the above are few and relatively minor. You will need to obtain from the NOC the VLAN numbers for each network, in addition to the information mentioned above..

In general what you are doing is replacing the configuration of your internal NIC with several virtual interfaces. Assume we call thse virtual interfaces vlan0 and vlan1.

First, move aside the old configuration for the internal interface and then configure the interface as "up".

  /bin/mv /etc/hostname.int1 /etc/hostname.int1.old_single_vlan

  /bin/echo 'up' > /etc/hostname.int1

Then construct one command for each VLAN using the following general format:

 inet <gateway-address> <subnet-mask> NONE vlan <vlan-number> vlandev <internal-interface>

and place each command in a file named /etc/hostname.vlann

Here's an example using 2 VLANs:

  /bin/echo 'inet 54.224.78.254 255.255.255.0 NONE vlan 106 vlandev int1 ' > /etc/hostname.vlan0

  /bin/echo 'inet 128.120.224.254 255.255.255.128 NONE vlan 331 vlandev int1' > /etc/hostname.vlan1

Then just coordinate the initiation of VLAN tagging for your subnets, enter these configuration changes and reboot your firewall.

If your rule file does the bulk of it's filtering on the external face, then it can be used as-is.

If you had a rule such as this on the internal interface:

   # Don't filter on internal interface 
   pass in on $int_if all label "Internal if in"
   pass out on $int_if all label "Internal if out"
you will want to replace it with something like:
   # Don't filter on internal interface 
   pass in  on vlan0 all label "Vlan0 if in"
   pass out on vlan0 all label "Vlan0 if out"
   pass in  on vlan1 all label "Vlan1 if in"
   pass out on vlan1 all label "Vlan1 if out"
that way pftop will show you how much traffic is passing in and out of each VLAN interface.

Managing PF

# To load rules from pf.conf into pf:

  pfctl -f /etc/pf.conf

# To test rules from pf.conf without loading them into pf:

  pfctl -n -f /etc/pf.conf

# To reload packet-filtering rules but leave options and other features unchanged (leaves existing connections intact.):

  pfctl -R -f /etc/pf.conf

# To view current pf rules:

  pfctl -s rules

# To view verbose output whan viewing current pf rules:

  pfctl -v -s rules


Useful geology commands

# To update the pf.conf-test file, copy the ruleset to the clipboard
# then use the following command then insert the new ruleset and save:

  rm /etc/pf.conf-test ; vi /etc/pf.conf-test

# To check syntax of the new pf.conf-test file. type:

  pfctl -n -f /etc/pf.conf-test

# To load the updated pf.conf-test file into pf. type:

  pfctl -F all ; pfctl -f /etc/pf.conf-test

# To clear the /var/log/pflog file and restart logging. type:

  cat /dev/null > /var/log/pflog ; kill -HUP `cat /var/run/pflogd.pid`

# To view the current contents of the ssh bruteforce memory table, type:

  pfctl -t bruteforce -T show

# To view the current contents of the badhosts memory table, type:

  pfctl -t badhosts -T show

# To view the current contents of the badhosts memory table, with statistics, type:

  pfctl -t badhosts -T show -v

# To reload the /etc/badhosts file into pf after updating the file, type:

  pfctl -t badhosts -T replace -f /etc/badhosts

# To view addresses in the spamd-white table, type:

  pfctl -t spamd-white -T show

# To load a new IP address into the spamd-white table, type:

  pfctl -t spamd-white -T add ip-address

# To view blocked egress packets, assuming you default block out rule is "Rule 3" and logging is enabled, type:

  tcpdump -n -e -ttt -r /var/log/pflog > /tmp/blockout ; grep rule\ 3/ /tmp/blockout


Useful OpenBSD Commands

# To show how many states are running concurrently and other useful information type:

  /usr/local/sbin/pftop

(press right arrow to toggle modes)

# To see logged packets type:

  tcpdump -n -e -ttt -r /var/log/pflog

# To see logged packets scroll on the screen type:

  tcpdump -n -e -ttt -i pflog0

# To see logged packets scroll on the screen for a single host type:

  tcpdump -n -e -ttt -i pflog0 host <hostname or ip>

# To clear /var/log/pflog and have pflog start logging again type:

  rm /var/log/pflog ; kill -HUP `cat /var/run/pflogd.pid`

# To view blocked egress packets, assuming you default block out rule is "Rule 3" and logging is enabled, type:

  tcpdump -n -e -ttt -r /var/log/pflog > /tmp/blockout ; grep rule\ 3/ /tmp/blockout

# To show the amount of free disk space type:

  df -h

# To show the amount of CPU utilization type:

  top -o cpu

# To mount a floppy type:

  mount -t msdos /dev/fd0a /mnt

# To mount a USB flash drive type (typical):

  mount -t msdos /dev/sd0i /mnt

# To copy a file to floppy type:

  cp /mnt

# To unmount a drive mounted to /mnt type:

  umount /mnt


# Make sure your current directory isn't /mnt or a subfolder when you do this or it won't unmount.

# To display your current default directory type

  pwd

# To clear the display type

  clear

Ctrl-Z pushes the current job into the background and fg to return it to the foreground.

Ctrl-C kills the job running in the foreground.


Setting up ftp-proxy:

  Instructions available here:

    http://home.nuug.no/~peter/pf/en/newftpproxy.html


Resources


Comments or corrections for this page should be sent to: waterstraat@geology.ucdavis.edu