Configure OpenBSD as a firewall for your LAN

This example is based on my SparcStation 20.
It has a 150mhz HyperSPARC ROSS cpu with 512k L2 cache,
192mb ram and 2 SCA harddrives of 2.1G each.
As network interfaces I have the default le0,
and a quad nic (qe0, qe1, qe2, qe3). All interfaces are only 10mbit,
but that's ok because it's connected to a cable modem that is only 4mbit,
and has a 10mbit interface itself.

First off, the OpenBSD installation itself, I'm not going to spend to much time
on it bacause it is basic stuff. Just start the install from floppy, cd, ...
My disk setup is as follows:

   Filesystem    Size    Mounted on
   /dev/sd0a     100M    /
   /dev/sd0b     384M    swap
   /dev/sd0d     250M    /tmp
   /dev/sd0e     250M    /var
   /dev/sd0f     1.0G    /home

   Filesystem    Size    Mounted on
   /dev/sd1a     2.1G    /usr

I took the default distribution sets, because I have only one 32bit sparc,
and crosscompiling is asking for trouble when updates are available.

After bootup, first configure your network as it should be.
Internet is connected to le0 and my network to qe0.
Be sure you have all files you need in order to connect your networks to the internet.
Mine are as follows:

   /etc/hosts

      ::1 localhost.devbox.be localhost
      127.0.0.1 localhost.devbox.be localhost
      127.0.0.1 pizzabox.devbox.be pizzabox

   /etc/resolv.conf

      lookup file bind

   /etc/myname

      pizzabox.devbox.be

   /etc/hostname.le0

      dhcp NONE NONE NONE

   /etc/hostname.qe0

      inet 10.0.0.1 255.0.0.0 10.255.255.255

To save you from trouble with /etc/netstart, you can just reboot your machine now,
and watch if you get your IP assigned from your ISP. 
After this you may sync your time with the nearest timeserver.

   rdate -n ntp.belnet.be

Enable forwarding of packets, swap encryption and disable dropping into ddb
after the system panics in the /etc/sysctl.conf file

   net.inet.ip.forwarding=1
   vm.swapencrypt.enable=1
   ddb.panic=0

Create /etc/rc.conf.local and enable some usefull stuff we need.
(I want ftp, so I will run ftp, nothing wrong with that)

   ftpd_flags="-D"
   pf="YES"
   pf_rules="/etc/pf.conf"

Create the file /etc/pf.deny, we might need this later on.

   touch /etc/pf.deny
   chmod 600 /etc/pf.deny

Enable the ftp proxy in /etc/inetd.conf

   127.0.0.1:8021  stream  tcp     nowait  root    /usr/libexec/ftp-proxy ftp-proxy
   kill -HUP `cat /var/run/inetd.pid`

Install NTP for time syncronisation of clients,
this is not mandatory but usefull for a large network.

   pkg_add ftp://openbsd.rug.ac.be/pub/OpenBSD/3.5/packages/sparc/ntp-4.1.1c.tgz
   
While I'm installing packages, I install tcsh-6.12.00-static.tgz too.
I realy don't like the default OpenBSD shells. And no-ip-2.1.1.tgz too,
Because I do not have a static ip (for more info visit http://www.no-ip.com)

First, we create our NTP config /etc/ntp.conf

   server ntp.belnet.be
   driftfile /var/db/ntp.drift

Next, we adjust /etc/rc.conf.local and add:

   ntpdate_flags="ntp.belnet.be"
   ntpd=YES

And we start the server for now with:

   /usr/local/sbin/ntpd -p /var/run/ntpd.pid -x

Set up DHCP if you need it! I need it because I am to lazy to change the IP
of my laptop everytime I go to another location.
I'm not going to discuss the details, the config is realy simple,
just edit /etc/dhcpd.conf and you will see.
Then add the local interface qe0 to /etc/dhcpd.interfaces,
and add the following to /etc/rc.conf.local:

   dhcpd_flags="-q"

Then make a leasefile and activate dhcpd

   touch /var/db/dhcpd.leases
   chmod 600 /var/db/dhcpd.leases
   dhcpd -q qe0

What about DNS? we are not going to discuss that here, If you wan't te setup
a caching DNS server, please read the OpenBSD FAQ and manual pages.
Why no discussion? simple, my provider has a very good DNS cache :)
But there are some tweaks for it to redirect them without running BIND.

And now the big part, loading the firewall rules :)
If you want to use 10.0.0.0/8 as your network, and have the same interfaces as me,
you can just copy my config, else you have to tweak it (recommended).

Load the following rules into /etc/pf.conf, and load them with:

   pfctl -f /etc/pf.conf

These rules do not yet create any logs, choose wisely WHAT you want to log,
WHY you should need those logs and can your hardware handle it.
For a dedicated computer keeping logs or other help on pf,
I strongly advice reading 'Building Firefalls with OpenBSD and PF'
from Jacek Artymiak.

So here goes my skeleton firewall config:


######################################################################
######     MACRO DEFINITIONS                                    ######
######################################################################

# interfaces
ext_if="le0"
int_if="qe0"

# DNS servers, REPLACE WITH YOU ISP CACHE !!!
dnscache="{10.0.0.2,10.0.0.3}"


######################################################################
######    TABLE DEFINITIONS                                     ######
######################################################################

# unwanted people
table <intruders> file "/etc/pf.deny"


######################################################################
######    OPTIONS                                               ######
######################################################################

#set loginterface $ext_if


######################################################################
######    TRAFFIC NORMALIZATION                                 ######
######################################################################

# normalize every packet, and give random id's on outgoing
scrub in all no-df
scrub out all no-df random-id


######################################################################
######    BANDWIDTH MANAGEMENT                                  ######
######################################################################

# stupid on a shared uplink, there is no guarantee at all with cbq,
# and priq has not that much of advantage in my situation


######################################################################
######    TRANSLATION                                           ######
######################################################################

# translate everything that does not come from our main ip
nat on $ext_if from !($ext_if) -> ($ext_if:0)


######################################################################
######    REDIRECTION                                           ######
######################################################################

# redirect ftp requests through our ftp proxy
rdr on $int_if proto tcp to !($int_if) port ftp -> 127.0.0.1 port 8021

# our DNS trick
rdr on $int_if proto udp to ($int_if) port domain -> $dnscache round-robin

######################################################################
######    PACKET FILTERING                                      ######
######################################################################

### DEFAULT RULES

# block everything
block in all
block out all

# block broadcast and intruders
block in quick on $ext_if from any to ($ext_if:broadcast)
block in quick on $ext_if from <intruders> to any


### LOOPBACK

# allow all loopback traffic quick
pass quick on lo0 all


### INTERNAL INTERFACE

# allow all local traffic quick (fully trust, because I own the internal lan)
pass quick on $int_if all


### EXTERNAL INTERFACE

# block special incomming connections
block return-rst quick on $ext_if inet proto tcp from any to ($ext_if) \
                                                                      port auth

# allow special incomming connections
pass in on $ext_if inet proto tcp to ($ext_if) port > 49151 flags S/SA \
                                                      user proxy modulate state

# block some outgoing connections
block out quick on $ext_if from !($ext_if) to any

# create states for outgoing connections
pass out on $ext_if inet proto tcp from ($ext_if) to any modulate state
pass out on $ext_if inet proto {udp,icmp} from ($ext_if) to any keep state