If you're having trouble figuring out which phyical port on your firewall matches which logical port name from the ipconfig command, try this:Fill in the following table to use your own network values in the remainder of these instructions. The NOC will have sent you some information for your "DMZ" VLAN. We'll use those values here.
- Disconnect all ethernet cables from your firewall
- Plug an ethernet cable into one port on your firewall and the other end into an ethernet hub or switch. (The switch doesn't need to be connected to the network, just powered on so it can supply a link signal to the firewall port.)
- Run the /sbin/ifconfig -a command on the firewall and see which logical device is now "status: active".
- Only one port at a time should show up as active -- the one with the ethernet cable plugged into it.
- Write down the active logical device name and physical port name pair.
- Move the ethernet cable to a different port on your firewall and run the /sbin/ifconfig -a command again.
- Repeat untill you've mapped out all the necessary ports.
# Delete existing NIC configuration
/sbin/ifconfig ext0 delete # If you configured the second NIC type: /sbin/ifconfig int1 delete # This is the IP in the new subnet NOC gave you:
# sets up: ifconfig ext0 inet 169.237.efg.hij netmask 255.255.255.def description "external-port" /bin/echo 'inet 169.237.efg.hij 255.255.255.def NONE description external-port' > /etc/hostname.ext0 # This is in your current subnet. This address will be the gateway for your clients:
# sets up: ifconfig int1 inet 38.107.191.254 netmask 255.255.255.0 description "internal-port" /bin/echo 'inet 38.107.191.254 255.255.255.0 NONE description internal-port' > /etc/hostname.int1 # This is the gateway for your OpenBSD router. It's a NOC router on the same subnet as ext0's ip address. /bin/echo '169.237.efg.klm' > /etc/mygate # Enable ip forwarding. Edit /etc/sysctl.conf and uncomment (remove the #) from the line that reads: #net.inet.ip.forwarding=1
# or use the following command to append the line to /etc/sysctl.conf /bin/echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf # After rebooting your computer will begin using the IP addresses configured above. # To avoid conflicting addresses you should either turn off other computers with these IP addresses or you should unplug this firewall from the network # reboot /sbin/shutdown -r now Rebooting...
Multi-VLAN configuration
If you then want to support multiple VLANs on the same firewall using VLAN tagging, the modification to the above are few and relatively minor. You will need to obtain from the NOC the VLAN numbers for each network, in addition to the information mentioned above..
In general what you are doing is replacing the configuration of your internal NIC with several virtual interfaces. Assume we call thse virtual interfaces vlan0 and vlan1. First, move aside the old configuration for the internal interface and then configure the interface as "up". /bin/mv /etc/hostname.int1 /etc/hostname.int1.old_single_vlan /bin/echo 'up' > /etc/hostname.int1 Then construct one command for each VLAN using the following general format: inet <gateway-address> <subnet-mask> NONE vlan <vlan-number> vlandev <internal-interface>and place each command in a file named /etc/hostname.vlann
Here's an example using 2 VLANs:/bin/echo 'inet 38.107.191.254 255.255.255.0 NONE vlan 114 vlandev int1 ' > /etc/hostname.vlan0 /bin/echo 'inet 128.120.224.254 255.255.255.128 NONE vlan 355 vlandev int1' > /etc/hostname.vlan1
Then just coordinate the initiation of VLAN tagging for your subnets, enter these configuration changes and reboot your firewall.
If your rule file does the bulk of it's filtering on the external face, then it can be used as-is. If you had a rule such as this on the internal interface:# Don't filter on internal interface pass in on $int_if all label "Internal if in" pass out on $int_if all label "Internal if out"you will want to replace it with something like:# Don't filter on internal interface pass in on vlan0 all label "Vlan0 if in" pass out on vlan0 all label "Vlan0 if out" pass in on vlan1 all label "Vlan1 if in" pass out on vlan1 all label "Vlan1 if out"that way pftop will show you how much traffic is passing in and out of each VLAN interface.
Managing PF
# To load rules from pf.conf into pf: pfctl -f /etc/pf.conf # To test rules from pf.conf without loading them into pf: pfctl -n -f /etc/pf.conf # To reload packet-filtering rules but leave options and other features unchanged (leaves existing connections intact.): pfctl -R -f /etc/pf.conf # To view current pf rules: pfctl -s rules # To view verbose output whan viewing current pf rules: pfctl -v -s rules
Useful geology commands
# To update the pf.conf-test file, copy the ruleset to the clipboard
# then use the following command then insert the new ruleset and save: rm /etc/pf.conf-test ; vi /etc/pf.conf-test # To check syntax of the new pf.conf-test file. type: pfctl -n -f /etc/pf.conf-test # To load the updated pf.conf-test file into pf. type: pfctl -F all ; pfctl -f /etc/pf.conf-test # To clear the /var/log/pflog file and restart logging. type: cat /dev/null > /var/log/pflog ; kill -HUP `cat /var/run/pflogd.pid` # To view the current contents of the ssh bruteforce memory table, type: pfctl -t bruteforce -T show # To view the current contents of the badhosts memory table, type: pfctl -t badhosts -T show # To view the current contents of the badhosts memory table, with statistics, type: pfctl -t badhosts -T show -v # To reload the /etc/badhosts file into pf after updating the file, type: pfctl -t badhosts -T replace -f /etc/badhosts # To view addresses in the spamd-white table, type: pfctl -t spamd-white -T show # To load a new IP address into the spamd-white table, type: pfctl -t spamd-white -T add ip-address # To view blocked egress packets, assuming you default block out rule is "Rule 3" and logging is enabled, type: tcpdump -n -e -ttt -r /var/log/pflog > /tmp/blockout ; grep rule\ 3/ /tmp/blockout
# To show how many states are running concurrently and other useful information type: /usr/local/sbin/pftop (press right arrow to toggle modes) # To see logged packets type: tcpdump -n -e -ttt -r /var/log/pflog # To see logged packets scroll on the screen type: tcpdump -n -e -ttt -i pflog0 # To see logged packets scroll on the screen for a single host type: tcpdump -n -e -ttt -i pflog0 host <hostname or ip> # To clear /var/log/pflog and have pflog start logging again type: rm /var/log/pflog ; kill -HUP `cat /var/run/pflogd.pid` # To view blocked egress packets, assuming you default block out rule is "Rule 3" and logging is enabled, type: tcpdump -n -e -ttt -r /var/log/pflog > /tmp/blockout ; grep rule\ 3/ /tmp/blockout # To show the amount of free disk space type: df -h # To show the amount of CPU utilization type: top -o cpu # To mount a floppy type: mount -t msdos /dev/fd0a /mnt # To mount a USB flash drive type (typical): mount -t msdos /dev/sd0i /mnt # To copy a file to floppy type: cp