December 16, 2024

Firewall

Rob Paisley

openbsd

330 Words ⏱ Reading Time 1 Minute, 30 Seconds

2024-12-16 21:42 +0000[fb7c9a6 @ 2024-12-25]

OpenBSD 7.6 Installation Process

  1. Download the install7.6.iso file linked from the download section of the OpenBSD website
  2. Place ISO into ISO partition of a Ventoy USB stick
  3. Boot from the USB stick and begin the installation process

Installer Questions / Answers

The following is how I configure a nearly minimal firewall suitable for home use. It assumes the internal LAN IP address is 10.67.33.254/24 with re0 being the interface with external connectivity and re1 being the internal LAN.

  1. Default keyboard

  2. Hostname tumbler

  3. Network:

    • re0 autoconf
    • re1 10.67.33.254/24

  4. Domain Name: my.domain (Default)

  5. Give it a root password

  6. sshd NO

  7. xenodm no (Default)

  8. Packages: -c* -g* -x*

  9. Reboot

  10. rcctl disable library_aslr

    The firewall is usually running on a Zimaboard so disabling the ASLR saves the disk from extra writes.

  11. rcctl disable sndiod

    There’s no sound on the firewall. This disables it.

From here it’ll reboot into the OpenBSD 7.6. Then we’ll configure it for use.

  1. echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

    Enables IP forwarding on the next reboot

  2. systemctl -w net.inet.ip.forwarding=1

    Enables IP forwarding NOW.

  3. Update the contents of the the following files to match below:

    • /etc/dhcpd.conf
    • /etc/pf.conf
    • /var/unbound/etc/unbound.conf

  4. Enable and start the services

    rcctl enable unbound dhcpd
rcctl start unbound dhcpd

Be sure to reboot and make sure it’s working before installation!

Packet Filter Firewall Ruleset

This will NAT traffic to the egress interface and allow the box itself to talk to everything unrestricted.

pf.conf

set skip on lo

eif="re0"
iif="re1"

block return all

match out on egress inet from !(egress:network) to any nat-to (egress)
pass in on $iif
pass out

DHCP Daemon configuration

/etc/dhcpd.conf

subnet 10.67.33.254 netmask 255.255.255.0 {
	option routers 10.67.33.254;
	option domain-name-servers 10.67.33.254;
	range 10.67.33.1 10.67.33.253;
}

Unbound DNS Resolver

/var/unbound/etc/unbound.conf

server:
	interface: 127.0.0.1
	interface: 10.67.33.254
	do-ip6: no

	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: 10.67.33.0/24 allow

	hide-identity: yes
	hide-version: yes

	# Perform DNSSEC validation
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	val-log-level: 2

	# Synthesize NXDOMAINs from DNSSEC NSEC chains.
	# https://tools.ietf.org/html/rfc8198
	aggressive-nsec: yes

remote-control:
	control-enable: yes
	control-interface: /var/run/unbound.sock

forward-zone:
	name: "."
	forward-addr: 9.9.9.9