DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 31st December 2010
afcelie afcelie is offline
New User
 
Join Date: Dec 2010
Posts: 8
Thanked 0 Times in 0 Posts
Default Question about installing OpenBSD as Firewall

Hello,
I am new to openBSD and want to use this OS as a firewall, within a firewall cluster. We have now 2 machines acting as a firewall which is not capable of doing the following:
active / active and load balancing.
I do have experience with Linux and Unix.
Can someone help me on how to set up a system with the features:
active /active firewall
Loadbalancing
Nat

Thanx
Reply With Quote
  #2   (View Single Post)  
Old 31st December 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

  1. Use the FAQ. Avoid third party how to documents like the plague.
  2. The FAQ includes the PF Users Guide, which you will need.
  3. The man pages are the definitive documentation, and you will need them also, for PF, carp, and pfsync.
Reply With Quote
  #3   (View Single Post)  
Old 1st January 2011
afcelie afcelie is offline
New User
 
Join Date: Dec 2010
Posts: 8
Thanked 0 Times in 0 Posts
Default

Well thanx, the faq look very wel documented, but when installing my first firewall script I got the following error±
# Removing ip address: lo ::1 prefixlen 128
ifconfig: SIOCGIFXFLAGS: Device not configured
ifconfig: SIOCSIFXFLAGS: Device not configured
ifconfig: SIOCDIFADDR: Device not configured
ifconfig: SIOCGIFFLAGS: Device not configured

It is a firewall for test within a vmware environment.
Reply With Quote
  #4   (View Single Post)  
Old 1st January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Your script has plenty of errors in it. What those errors are, I cannot tell until you post it.
Reply With Quote
  #5   (View Single Post)  
Old 1st January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Actually I can tell what the majority of errors are. You are issuing the ifconfig command against devices that do not exist in your test system. NICs must be present to be provisioned.
Reply With Quote
  #6   (View Single Post)  
Old 1st January 2011
afcelie afcelie is offline
New User
 
Join Date: Dec 2010
Posts: 8
Thanked 0 Times in 0 Posts
Default

Attached my files :
System config:
em0 --> outside
em1 --> inside
em2 --> future use.
lo
Attached Files
File Type: zip FirewallExample.zip (2.4 KB, 20 views)
Reply With Quote
  #7   (View Single Post)  
Old 2nd January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

There is no device called "lo". That is a device type, not a device. Loopback devices are lo0, lo1, etc. There is a device group "lo" however. Best practice is to use the lo0 device unless you have multiple loopback devices.

You did not include a dmesg, but if you had, you may not see the "em" devices you are attempting to configure.....as mentioned already.

I have never used any "builder" application, and cannot answer any questions about your input to one, out the output produced.
Reply With Quote
  #8   (View Single Post)  
Old 2nd January 2011
afcelie afcelie is offline
New User
 
Join Date: Dec 2010
Posts: 8
Thanked 0 Times in 0 Posts
Default

Thanx for the help, it was indeed the naming of the lo interface which was not correct.
The gui we are using is for other persons within my company, whom are not that familiar with command line innterfaces.
Reply With Quote
  #9   (View Single Post)  
Old 2nd January 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

No offence, but such people should not have access to firewall configuration.
Reply With Quote
Old 2nd January 2011
afcelie afcelie is offline
New User
 
Join Date: Dec 2010
Posts: 8
Thanked 0 Times in 0 Posts
Default

I know, but then again, I cannot handle all of our systems by my own. I am also curious if there isn't someone indeed using a gui for maintaining the firewalls. We are using FWBuilder, because of the Linux firewalls. But I have found out that the openBsd firewalls can do more than the Linux firewalls.
But is quite a study for something new.
I am still having trouble on how to use Fwbuilder with NAT.
Reply With Quote
Old 2nd January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Start with the PF Users Guide. Leave your GUI tool in the box that it came in. You will find the Guide in html and pdf from the FAQ top page.
Reply With Quote
Old 3rd January 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,880
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by afcelie View Post
I am also curious if there isn't someone indeed using a gui for maintaining the firewalls.
The project developers don't advocate the use of GUI tools for two reasons:
  • GUI tools are yet another layer. Development on pf(4) has been progressed so quickly that no GUI tool has kept up.
  • To effectively use pf(4) requires understanding. Understanding comes from studying the pf(4) manpage & PF Users' Guide.
The only third-party document which comes close to serving as a pf(4) introduction is Hansteen's manuscript:

http://home.nuug.no/~peter/pf/
Reply With Quote
Old 3rd January 2011
wimwauters wimwauters is offline
Port Guard
 
Join Date: Aug 2008
Posts: 36
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by afcelie View Post
I know, but then again, I cannot handle all of our systems by my own.
By using UNIX command-line tools you will be able to manage all your firewalls by yourself: the unixverse encourages automation of roll-out, management and monitoring/auditing. All you need is time to study and to build up your experience
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up an OpenBSD firewall Monkey OpenBSD Security 2 7th December 2010 10:30 AM
OpenBSD firewall with only one physical NIC idosch OpenBSD Security 5 25th April 2010 12:11 AM
DIY OpenBSD Firewall Appliance mikesg OpenBSD Security 34 6th January 2010 06:17 AM
Installing java question neurosis FreeBSD Ports and Packages 3 22nd July 2008 02:42 AM
OpenBSD firewall resources J65nko OpenBSD Security 0 1st June 2008 02:28 AM


All times are GMT. The time now is 07:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick