|
How to build an
OpenBSD 2.9 based firewall
/ IDS sensor
(Advanced
level article)
Installing
OpenBSD 2.9
Before installing OpenBSD you will need to support
the cause by purchasing the latest version on CD or you can do an ftp
install where there is no need for the cd's. If you proceed with the ftp
install please support the cause by purchasing the cd's later. Then after
falling in love with the robust operating system I am sure you will end up
with the hats and t'shirts. And of course this howto is based on the cdrom
install, but can be used for the ftp install also with very few
differences to this howto.
1.) Installing OpenBSD: I
thought was one of the easiest Unix's I have ever installed and surely if
I can accomplish this task you can also. The best resource you can use for
getting this task done is here at http://www.openbsd.org/faq/faq4.html
. There are other
websites that could possible help you with this task also, these sites can
be found at the end of this howto in the links/appendixes section.  2.) After your install is
complete and your machine is running you now need to get the latest
updates and patches which are also available from ftp://ftp.openbsd.org
. But before logging into the
remote ftp system, cd /tmp on your local system that way when you pull
down the necessary file it will be in your tmp directory which will be
wiped clean upon reboot. After logging into the ftp site cd
/pub/OpenBSD/patches. From here you will need to grab the 2.9.tar.gz file.
Now tar -zxvf 2.9.tar.gz which will create /tmp/2.9. Here in this
directory there are two important directories we need to be concerned
with, /common which contain system independent files and /i386 if you are
installing on a intel platform based machine which contains patches
specifically for this platform. In either of these perspective directories
you can issue the head patch_filename, which will print out exact
instructions on how to apply the specific patch. Example on what it would
look like for bmap.patch. cd /usr/src/sys
patch -p0 < bmap.patch
There is one gotcha with this, because you
are working out of the /tmp directory you will have to specify the full
path to the patch.
Example
patch -p0 < /tmp/2.9/common/bmap.patch
You want to continue this process for all the
patches in the two important directories pertaining to our machine which
are again the /common and /i386 directory. I myself did bypass the
sendmail patch on my firewall because sendmail is not running or listening
on my firewall, but if you desire to run sendmail on your firewall perhaps
using it as a mail router then it is highly recommended you run this
patch. But once again I do not recommend running any services on your
firewall for security purposes, this of course should be the most secure
machine on your network right.
Edit and Optimize your Kernel
1.) Assuming you have installed from cd and have the
sources on your machine
"cd /usr/src/sys/arch/i386/conf"
from here you should see the GENERIC kernel file
this is the one we want to edit you can view this file by typing
"more GENERIC".
2.) Before editing the file with vi make a copy of
the file "cp GENERIC YOURKERNEL" now from here you want to "vi YOURKERNEL"
from here you want to proceed all the way to the bottom of this file and
add these options they are not needed to complete your firewall install
but are needed for optimizations of the firewall.
option NMBCLUSTERS=8192
option NKMEMCLUSTERS=8192
option MAX_KMAP=120
option MAX_KMAPENT=6000
These options can be altered especially nmbclusters
and nkmemclusters but it is based on the amount of memory you have in your
machine you only want to dedicate I small potion of your mem to these
options.
I would start with these values before trying
to tweak more. That is it for editing your kernel, simple huh now lets
move on to compiling and installing the new kernel.
Compile your new Kernel
1.) Make sure you are in the directory
"/usr/src/sys/arch/i386/conf" from here run " config -s /usr/src/sys -b .
YOURKERNEL" this command will check your kernel file for errors. If you
have followed this HOWTO exactly then you should not see any errors at the
end of this if there are errors it will exit prematurely stating the
error. If you do get an error or errors make sure to document the error
well and possibly do your research on www.openbsd.org for the resolution
or use www.google.com for searching for your particular error. Do not let
this part scare you I have built many of openbsd machines and never have
had this part error out on me. You will see some hex and code at the end
if everything goes ok, which I am sure it will.
2.) Now that is done issue these commands from the
prompt "make clean" then "make depend" then "make". Example
cd /usr/src/sys/arch/i386/conf
config -s /usr/src/sys -b . YOURKERNEL
make clean
make depend
make
3.) You have just compiled your new kernel, easy so
far huh.
Install the new Kernel
Your new kernel is called
bsd in the directory you are currently in which should be
"/usr/src/sys/arch/i386/conf". To install your new kernel is relatively
easy but first lets give ourselves a way out lets cp the old so we have a
backup in case the new one does not boot up "mv /bsd /bsd.old". Now
install the new kernel "cp ./bsd /" you have just installed your new
kernel the next time you reboot your machine will boot up with the new
kernel. But before rebooting one last important step "cd /". If you do not
complete this step your machine will crash when booting up. Examples
mv /bsd /bsd.old
cp ./bsd /
cd /
4.) Now the true test time, reboot your machine. Of
course it will boot up trust me :).
Edit /etc/inetd.conf to turn off all
unneeded services.
1.) If you are familiar with the inetd.conf file you
know here is where you will turn off all your services by commenting out
everything and you do that by putting a # in front of every service right.
2.) Well OpenBSD have also given us one additional
way of doing this through the /etc/rc.conf file here you will find a line
that looks like
inetd=YES # almost always needed
As you can see it says almost always needed well in
our case it is not needed and instead of editing your /etc/inetd.conf and
putting in all those comments (#) just turn it off here in
/etc/rc.conf by doing this.
inetd=NO # almost always needed
3.) Now that we are here in the /etc/rc.conf you
will see some other services here also and you can turn them off by doing
the same exact thing as you did with inetd by simply putting a NO cap
sensitive after each. But the only thing I recommend turning off at this
time is sendmail remember sendmail is run at startup by OpenBSD.
4.) We should still be in /etc/rc.conf file so now
it is time to make our machine act as our firewall/nat box we do that by
making sure these options look like so in the /etc/rc.conf file.
ipfilter=YES
ipnat=YES # for "YES" ipfilter must also be "YES"
5.) These 2 options are a must
if you plan on using nat. If you are not sure what nat is or what it does
you can go here http://www.ietf.org/html.charters/nat-charter.html
and learn everything
you need to know about it. But because you are here reading this HOWTO I
assume you are using your machine as a firewall/router possibly connected
to a dsl or cable network and you will be using NAT.
| 
Menu:
