DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 17th August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Default pf firewall, is it a bridge or router?

I'm getting my first OpenBSD firewall based on pf going. I have come to a place after a fair amount of struggle where I'm seeing how some things work, but am still hopelessly confused about others.

Intent of this firewall: to allow us to switch off firewall in our DSL Modem/router, put that device alone on one of this OpenBSD box's NICs, and hub the rest of our network onto the other NIC.

I started by going through FAQ6, Networking. I found FAQ6 as I worked to get a second NIC working on my machine. The second NIC discussion in that FAQ happens within the context of the section Setting up a network bridge in OpenBSD. So, I set up a bridge. I've got a hostname.bridge0 file and net.inet.ip.forwarding=1 set in my sysctl.conf and bridging works.

My test environment is a single Win Vista PC on the "internal" side of my network, connected to the rest of the world only through the rl1 nic, which I have at 192.168.1.254. The other nic, rl0 is at 192.168.0.1. I got confused when I set up the windows machine as a static IP (192.168.1.15 with default gateway 192.168.1.254). It would communicate with nobody but 192.168.1.254.

Then I set up my OpenBSD box to do DHCP and switched the win box to DHCP and it worked. But what I finally figured out was that it simply went to the DHCP server on the 192.168.0.* net that it had always used. Oh yeah, that OpenBSD machine is a bridge!

So now I have the win machine static at 192.168.0.15 with default gateway being 192.168.0.1, which is our DSL Modem/router (and DHCP server). And of course it's talking. Bridge.

Every time I put actual rules into my pf.conf file I start with something like

Code:
block all
pass out proto tcp to port { ssh, www, pop3 }
pass proto udp to port { domain }
And then my Vista box gets nothing. Comment out the "block all" and it works. Everything.

Finally I've noticed that some example pf rules apply to both nics, pass in/pass out statements per nic, so there are minimally four statements. Sometimes they are just a pair, with no mention of nic (like the example code above).

Finally it occurs to me, what if the basic firewall is not also a bridge?

The main documents I've been working on have been:

http://www.openbsd.org/faq/faq6.html
http://www.openbsd.org/faq/pf/index.html (PF User Guide) -and-
http://home.nuug.no/~peter/pf/ (Peter Hansteen's tutorial for PF)

Today I searched the PF User Guide for the word bridge and saw that it does not appear in that doc at all. I searched for it in Hansteen's tutorial and saw that he refers to a filtering bridge type firewall two thirds of the way down into his document and discusses its benefits and drawbacks. "The advantage of such a setup is that attacking the firewall itself is more difficult. The disadvantage is that all admin tasks must be performed at the firewall’s console, unless you configure a network interface which is reachable via a secured network of some kind, or even a serial console." (excerpt)

So, now I am a bit confused. Sounds like the default way to configure a firewall using OpenBSD/PF is to not have it configured as a bridge. In which case the pf daemon is routing? So, I would configure my little Vista test machine (and ultimately all of the machines on our network after this is working) to live on the 192.168.1.* subnet with the OpenBSD box's rl1 nic IP Address as its default gateway? And then remove the hostname.bridge0 file? Then the OpenBSD box should have it's gateway (mygate) set to the DSL Modem/router (192.168.0.1)?? What should the client machine's DNS Servers be set to? The OpenBSD machine has two nameserver IPs in resolv.conf...

I am happy to read more about this, but I find that most of the information out there assumes a certain amount of base knowledge that I don't seem to have. Any help greatly appreciated.
Reply With Quote
 

Tags
router bridge gateway

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD 8.0 Installation as router, firewall & packet filter Freeco FreeBSD Installation and Upgrading 3 7th May 2010 10:17 AM
OpenBSD amd64 or i386 for firewall/router J65nko OpenBSD General 7 24th December 2009 09:06 PM
Is there a purpose for using pf if you have a hardware router/firewall? guitarscn OpenBSD Security 9 23rd January 2009 12:22 AM
PPPoE -> ADSL Router (Bridge) - Slow connect? DraconianTimes OpenBSD General 0 31st December 2008 01:07 PM
FreeBSD as firewall/router on VMware ESXi Bruco FreeBSD General 12 6th December 2008 08:37 PM


All times are GMT. The time now is 08:58 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick