DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Thanked 0 Times in 0 Posts
Default pf firewall, is it a bridge or router?

I'm getting my first OpenBSD firewall based on pf going. I have come to a place after a fair amount of struggle where I'm seeing how some things work, but am still hopelessly confused about others.

Intent of this firewall: to allow us to switch off firewall in our DSL Modem/router, put that device alone on one of this OpenBSD box's NICs, and hub the rest of our network onto the other NIC.

I started by going through FAQ6, Networking. I found FAQ6 as I worked to get a second NIC working on my machine. The second NIC discussion in that FAQ happens within the context of the section Setting up a network bridge in OpenBSD. So, I set up a bridge. I've got a hostname.bridge0 file and net.inet.ip.forwarding=1 set in my sysctl.conf and bridging works.

My test environment is a single Win Vista PC on the "internal" side of my network, connected to the rest of the world only through the rl1 nic, which I have at 192.168.1.254. The other nic, rl0 is at 192.168.0.1. I got confused when I set up the windows machine as a static IP (192.168.1.15 with default gateway 192.168.1.254). It would communicate with nobody but 192.168.1.254.

Then I set up my OpenBSD box to do DHCP and switched the win box to DHCP and it worked. But what I finally figured out was that it simply went to the DHCP server on the 192.168.0.* net that it had always used. Oh yeah, that OpenBSD machine is a bridge!

So now I have the win machine static at 192.168.0.15 with default gateway being 192.168.0.1, which is our DSL Modem/router (and DHCP server). And of course it's talking. Bridge.

Every time I put actual rules into my pf.conf file I start with something like

Code:
block all
pass out proto tcp to port { ssh, www, pop3 }
pass proto udp to port { domain }
And then my Vista box gets nothing. Comment out the "block all" and it works. Everything.

Finally I've noticed that some example pf rules apply to both nics, pass in/pass out statements per nic, so there are minimally four statements. Sometimes they are just a pair, with no mention of nic (like the example code above).

Finally it occurs to me, what if the basic firewall is not also a bridge?

The main documents I've been working on have been:

http://www.openbsd.org/faq/faq6.html
http://www.openbsd.org/faq/pf/index.html (PF User Guide) -and-
http://home.nuug.no/~peter/pf/ (Peter Hansteen's tutorial for PF)

Today I searched the PF User Guide for the word bridge and saw that it does not appear in that doc at all. I searched for it in Hansteen's tutorial and saw that he refers to a filtering bridge type firewall two thirds of the way down into his document and discusses its benefits and drawbacks. "The advantage of such a setup is that attacking the firewall itself is more difficult. The disadvantage is that all admin tasks must be performed at the firewall’s console, unless you configure a network interface which is reachable via a secured network of some kind, or even a serial console." (excerpt)

So, now I am a bit confused. Sounds like the default way to configure a firewall using OpenBSD/PF is to not have it configured as a bridge. In which case the pf daemon is routing? So, I would configure my little Vista test machine (and ultimately all of the machines on our network after this is working) to live on the 192.168.1.* subnet with the OpenBSD box's rl1 nic IP Address as its default gateway? And then remove the hostname.bridge0 file? Then the OpenBSD box should have it's gateway (mygate) set to the DSL Modem/router (192.168.0.1)?? What should the client machine's DNS Servers be set to? The OpenBSD machine has two nameserver IPs in resolv.conf...

I am happy to read more about this, but I find that most of the information out there assumes a certain amount of base knowledge that I don't seem to have. Any help greatly appreciated.
Reply With Quote
  #2   (View Single Post)  
Old 17th August 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

I think you're confusing your terminology, if you want to setup a simple NAT router you do not configure a bridge.. also, pf is not a daemon it is the kernel packet filter.

If your modem is configured as a NAT router, assigning internal private RFC1918 addresses, then it wouldn't really make sense to have an OpenBSD system between them.. but if you did, a bridge would make sense as it would simply act as a switch or a hub.

Now, if your modem itself is in bridge mode, one of your interfaces on your OpenBSD system will have to obtain an external public address and routing information, for Cable this is usually done using dhclient(8), for DSL you need to configure a pppoe(8)/pppoe(4) client.

At that point you would then need to configure OpenBSD for NAT and pass traffic between your network and the Internet, hosts inside your local subnet can be configured statically or by setting up dhcpd(8).

Last edited by BSDfan666; 17th August 2011 at 04:09 PM.
Reply With Quote
  #3   (View Single Post)  
Old 17th August 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by tomp View Post
My test environment is a single Win Vista PC on the "internal" side of my network, connected to the rest of the world only through the rl1 nic, which I have at 192.168.1.254. The other nic, rl0 is at 192.168.0.1. I got confused when I set up the windows machine as a static IP (192.168.1.15 with default gateway 192.168.1.254). It would communicate with nobody but 192.168.1.254.
If your intent is to have an "internal" network be separate from the Internet at large, this implies that your firewall should be configured as a router which will separate two distinct subnets. If the contract you have with your ISP is to supply you a single IP address, & you wish to have several hosts on the internal network each individually connect to the Internet independently, the only solution you have is to configured NAT at the exterior router -- in other words, configure NAT in pf(4).

If you configured your OpenBSD pf(4) system as a bridge, it will be acting as a switch with only two ports. If you are familiar with the OSI networking model, the OpenBSD system will be functioning at Layer 2/Data link layer instead of Layer 3/Networking layer (routers). As a bridge, your OpenBSD system will not have IP addresses assigned to its interfaces. However, note that configuring your OpenBSD system as a bridge will also mean that it cannot be configured for NAT. Only a single device can be connected on each side of this bridge.

If another system/device can be connected to the OpenBSD pf(4) bridge which can then act as a NAT'ed router, then a separation of functionality can be attained, however many people simply use a single device configured as a pf(4) router to take care of both filtering traffic & NAT functionality.

Which should you do? It all depends upon the contract you have with your ISP & how many machines you want to tie up implementing firewall capabilities.

Last edited by ocicat; 17th August 2011 at 04:36 PM.
Reply With Quote
  #4   (View Single Post)  
Old 17th August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Thanked 0 Times in 0 Posts
Default Double-NAT not?

Quote:
Originally Posted by BSDfan666 View Post
I think you're confusing your terminology, if you want to setup a simple NAT router you do not configure a bridge.. also, pf is not a daemon it is the kernel packet filter.

If your modem is configured as a NAT router, assigning internal private RFC1918 addresses, then it wouldn't really make sense to have an OpenBSD system between them.. but if you did, a bridge would make sense as it would simply act as a switch or a hub.

Now, if your modem itself is in bridge mode, one of your interfaces on your OpenBSD system will have to obtain an external public address and routing information, for Cable this is usually done using dhclient(8), for DSL you need to configure a pppoe(8)/pppoe(4) client.

At that point you would then need to configure OpenBSD for NAT and pass traffic between your network and the Internet, hosts inside your local subnet can be configured statically or by setting up dhcpd(8).
Hmm. My colleague and I were talking about that--double nat thing. The DSL is not cable, the modem is using PPPoA. At some point we hope to get redundant DSL, and the other provider would be cable, but that's not possible today--subject for another time.

So, we had been assuming that the DSL Modem/router would keep doing NAT, but that the firewall would also do NAT, which does sound like belt and suspenders. When you say "if your modem itself is in bridge mode", would that be implied by turning off NAT on that device? Disabling the firewall function in that device we had planned for, but we'd assumed that NAT would still be in place... You say a bridge would make sense if we left NAT on in the Modem/router, but would the double NAT configuration work?

Thanks for clarifying about pf running in the kernel. I had thought it was odd that I never saw it in a ps listing.
Reply With Quote
  #5   (View Single Post)  
Old 17th August 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

I wasn't recommending double NAT, I was saying if you had your OpenBSD system set up as a bridge.. other systems on your network wouldn't even know it was there, your modem would still be your router.

Disabling the NAT functionality and forcing your modem itself into bridge mode would allow you to use OpenBSD in that role instead.

I guess the real question is, what problem are you trying to solve with OpenBSD?
Reply With Quote
  #6   (View Single Post)  
Old 17th August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Thanked 0 Times in 0 Posts
Default problem we are trying to solve:

Quote:
Originally Posted by BSDfan666 View Post
...I guess the real question is, what problem are you trying to solve with OpenBSD?
Our primary motivation for going with an OpenBSD-based firewall is that we want a more flexible and robust firewall. The firewall functionality on the DSL Modem/router is quite limited. And it's probably not the fastest device for performing that functionality. But the limitations are what are driving us.

The actual trigger for doing it now is supporting a Verizon Wireless Network Extender, which allows cell phones inside our metal building to communicate with Verizon's network across our internet connection. The DSL Modem/router we were using a few weeks ago got flakey, so we asked our ISP to replace it. The new one is failing to support the device because of a firewall issue. Certain ports need to be allowed, and we have set them to be allowed, but for some reason the device is failing anyway. When we open disabled the modem/router firewall it works.

So, executive summary: we are doing this to replace a toy firewall with a real firewall.
Reply With Quote
  #7   (View Single Post)  
Old 17th August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Thanked 0 Times in 0 Posts
Default clarifying question:

Quote:
Originally Posted by ocicat View Post
... If the contract you have with your ISP is to supply you a single IP address, & you wish to have several hosts on the internal network each individually connect to the Internet independently, the only solution you have is to configured NAT at the exterior router -- in other words, configure NAT in pf(4).

If you configured your OpenBSD pf(4) system as a bridge, it will be acting as a switch with only two ports. If you are familiar with the OSI networking model, the OpenBSD system will be functioning at Layer 2/Data link layer instead of Layer 3/Networking layer (routers). As a bridge, your OpenBSD system will not have IP addresses assigned to its interfaces. However, note that configuring your OpenBSD system as a bridge will also mean that it cannot be configured for NAT. Only a single device can be connected on each side of this bridge...
We do have a single internet IP address.

What I hear you saying is that I have two options that will work, the first one where the DSL Modem/Router goes to bridge mode with NAT and Firewall off, and then our OpenBSD box functions as a NAT router and firewall via PF. And the second one where the Modem/Router does NAT, the current BSD box is a bridge, and there's another box of some kind that does the routing.

Yes?

I think the former option is the way we will go.

Thanks everyone. This forum is very useful.
Reply With Quote
  #8   (View Single Post)  
Old 17th August 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

So, you should find documentation for your modem/router combo and see if you can enable bridge/pass-through mode and then configure OpenBSD to handle NAT and packet forwarding, and indeed, serve as a firewall.

Many combination modems support operating in this way, and it allows you a finer level of control over what enters and leaves your network.

The OpenBSD FAQ and relevant man pages can help you configure the pppoe/pppoa client, and if successful, your OpenBSD system will be directly facing the Internet and you will need to configure pf.

Quote:
Originally Posted by tomp View Post
And the second one where the Modem/Router does NAT, the current BSD box is a bridge, and there's another box of some kind that does the routing.
No, again, a bridge simply passes packets in from one Ethernet interface to another, it is akin to simply connecting a cable between your modem/router and a client system. It would still be offering NAT and would be the default route for your network.

Last edited by BSDfan666; 17th August 2011 at 05:32 PM.
Reply With Quote
  #9   (View Single Post)  
Old 17th August 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by tomp View Post
What I hear you saying is that I have two options that will work, the first one where the DSL Modem/Router goes to bridge mode with NAT and Firewall off, and then our OpenBSD box functions as a NAT router and firewall via PF.
As BSDfan666 has already stated, you need to look into what modes the modem has available.

In any event, the modem will have to serve at least one IP address. This is what will go into one interface of your OpenBSD system.
Quote:
And the second one where the Modem/Router does NAT, the current BSD box is a bridge, and there's another box of some kind that does the routing.
No. Bridging should not be set up on the internal side of whatever device does NAT. If you decide to configure your OpenBSD pf(4) system to be a bridge, it will need to be on the outside of any device performing NAT. That is, if you want this single system to serve as the single corporate firewall.

Before proceeding further down this bridging line of thinking, you & your team needs to answer the question of whether you want to access the firewall remotely. If your OpenBSD system is configured as a bridge, it will not have an IP address associated with it. Yes, a third interface can be added to your OpenBSD box, but how will it be accessible? You will soon see that this complicates the overall network configuration, & this is why most configure their OpenBSD/pf(4) firewall boxes as Layer 3 routers.

Last edited by ocicat; 17th August 2011 at 06:25 PM.
Reply With Quote
Reply

Tags
router bridge gateway

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD 8.0 Installation as router, firewall & packet filter Freeco FreeBSD Installation and Upgrading 3 7th May 2010 10:17 AM
OpenBSD amd64 or i386 for firewall/router J65nko OpenBSD General 7 24th December 2009 09:06 PM
Is there a purpose for using pf if you have a hardware router/firewall? guitarscn OpenBSD Security 9 23rd January 2009 12:22 AM
PPPoE -> ADSL Router (Bridge) - Slow connect? DraconianTimes OpenBSD General 0 31st December 2008 01:07 PM
FreeBSD as firewall/router on VMware ESXi Bruco FreeBSD General 12 6th December 2008 08:37 PM


All times are GMT. The time now is 01:41 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick