BSD Firewall / Configure the firewall and router

Maintained and written by Elijah at www.digitalrage.org

Part 3 of 3 (start )

(which it does a very good job at I may add)

1.) Now lets make OpenBSD a router by editing your /etc/sysctl.conf file. The very first line which permits the machine to act as a router basically forwarding packets from one interface to the other. That first line should look as so

That's it been easy so far huh and to think you are just about 3/4 of the way through building your firewall/router. If you knew it was this easy you never would have purchased that Cable/DSL gateway you have now, right?

2.) I bet you are so eager you are trying out your firewall right now only to be dissapointed and find out that nothing is happening. The reason for that is we do not have our /etc/ipnat.rules or the /etc/ipf.rules in place. The /etc/ipnat.rules which are put in place to allow you to translate your private/reserved ip address space to your public ip address space provided by your cable/dsl isp, of course you knew that already because I am sure you went and read all about NAT at http://www.ietf.org/html.charters/nat-charter.html that I referenced earlier in this doc.

Here is a copy of what your /etc/ipnat.rules should look like.

Basically what this is doing is allowing your internal machines to be able to get out to the internet with only having one dhcp assigned ip address hence the 0/32 in the port map statements if you have a static this is where the ip address should be. In trying to keep this document simple remember keeping it in my IQ range, in short the first line because you are mapping multiple inside machines to one external ip address the firewall needs to be able to keep track of these ip conversations so nat maps each conversation a different port number. Notice you have ports 1025 to 65000 to work with which could hide a large amount of machines on internal/private ip address space.

On to the rules /etc/ipf.rules section this is where your firewall is actually earning its money blocking and allowing traffic acting as a street cop on the vast corners of the internet.

Example below

In keeping with the old saying Keep it simple stupid this is what I have tried to do with this basic /etc/ipf.rules to give individuals using this HOWTO a secure firewall to start out with more secure than some of the dsl/cable modems on the market (I will explain that comment later).

Please read the comments notice they are documented with basic info on what the rule is doing.

These rules above are basically blocking broadcast of smb traffic mainly Microsoft and Samba type traffic. This is the reason I made the comment about safer than some dsl/cable modems. Being a techie and loving every minute of this stuff I decided to test my cable modem from a well known manufacturer in a test environment. After sniffing some traffic seeing what was being allowed to pass from the inside to the outside I notice this router was actually passing smb broadcast traffic. Some say no way routers do not pass broadcast or owe that is nothing to worry about because quality routers used by isp's like Cisco, Juniper, 3com do not pass broadcast anyway unless setup in a bridged environment so no one will see the broadcasting of your computer netbios names right. Well ask yourself what is the chances of someone compromising one of your isp's machine in their network infrastructure and being able to see your info, well in this day and age I say chances are good it might happen. And this rule must be above your basic policy rule. So safe to always put it first.

Sticking to the basics here. Blocking all traffic AND logging all blocked traffic inbound from the outside. And passing out all traffic. Next you are telling the firewall to accept all packets from your internal nic and to accept traffic from your loopback interface.

Here you are only allowing certain types of troubleshooting tools to take place for you. Say you can't get to a website so you use the ping command to see if the website is still reachable out on the internet. These rules allow for packets to be returned to you.

If you think you need more than this to be allowed you can find out what all type of icmp number are by going here  http://www.iana.org/assignments/icmp-parameters

Now this is something we all can't live without DNS. Without DNS we all would have to remember every ip address on the internet to get to our favorite websites we visit. So here we are allowing DNS traffic to traverse our firewall but a certain type of dns traffic. We are only letting udp traffic pass and that is all that is needed for resolving names. If you were going to be doing dns zone transfers then that is tcp traffic and we would have to allow that also but I recommend starting with this first. Also notice that I am only allowing queries to and from my isp's dns servers, if you do not know the ip addresses of your isp's DNS servers then you can put the keyword "any" here. But please know now you are opening yourself up to dns queries from anyone in the world on the internet.

To me these are extremely important. This prevents anyone from the outside of your network from generating spoofed packets to make it look as if the traffic was generated on your network.

Though it is not necessary to it is time to reboot your machine again. This will activate the rules and put nat in place. After all this work it is now time to get out on the wild wild net and feel some what secure and enjoy your sense of accomplishments.

There will be more to come later in this document on running your own web and mail servers on your internal network, and also turning this beast into a IDS (intrusion Detection System) and make this thing log to a mysql databse. Stay Tuned more to come. The really neat IDS stuff.

Maintained and written by Elijah at http://www.digitalrage.org

 

 

BSD Firewall / Configure the firewall and router