A lot of hype today surrounds the word "firewall"; some of this is corporate-fabricated and some of it relates to the actual functionality of a firewall. The commonly purveyed misconception is that a firewall is some sort of magical network security device that will put an end to every admin's security concerns. This couldn't be further from the truth; a firewall is designed to provide advanced IP services such as packet filtering, port forwarding, and network address translation. This said, a correctly configured firewall should be a part of every secure network. It's just not the be-all and end-all of network security.
One of the most common firewall implementations (and a good one for educational purposes) is an NAT (Network Address Translation) machine that acts as an internet access gateway for a small network. This is similar in functionality to Linux's IPMASQ features, yet quite different in terms of configuration and implementation. Assuming simple network configuration and services have been dealt with (as discussed in the previous articles of this series), we can proceed to configure the system:
1. Add an entry to
/etc/rc.conf like this:
ipfilter=YES ipnat=YES # for "YES" ipfilter must also be "YES" ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation
This enables IP filtering and IP network address translation on the system. These two systems, known as IPF and IPNAT, are the two OpenBSD firewall tools. IPF is used for things like packet filtering and ICMP control, while IPNAT handles functions like network address translation and port forwarding.
2. Edit the
map ep0 192.168.0.0/24 -> ep0/32 portmap tcp/udp 10000:20000
This line does basic NAT to provide internet access to the subnet. To provide a breadown of the syntax:
This tells IPNAT to map traffic from the internal address range
The live interface ep0.
This tells IPNAT to map all tcp/udp traffic to ports in the range of 10000:20000.
/etc/sysctl.conf to allow IP forwarding:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
This enables IP forwarding, which is a pre-requisite of IPNAT.
After a reboot, the system should now operate as a gateway for client machines within the 192.168.0.x range. To expand upon this example, let's now apply some simple firewall rules to the system. To do this, we'll need to edit the /etc/ipf.rules file, which dictates IPF configuration. I've taken a few examples here from OpenBSD's /usr/share/ipf/ documentation:
1. By default, pass all packets through the firewall:
pass out from any to any pass in from any to any
2. Block and log malformed and dangerous packets, namely ICMP redirect packets and extremely short fragmented packets, where ep0 is our live interface:
block in log quick on ep0 proto icmp from any to any icmp-type redir block in log quick on ep0 proto tcp/udp all with short
3. Block all UDP traffic except for DNS:
block in on ep0 proto udp from any to any pass in on ep0 proto udp from any to any port = domain
4. Block and log any spoofed packets (any packets from "internal" IPs that are actually coming through an external interface):
block in log quick on ep0 from 192.168.0.0/24 to any block in log quick on ep0 from localhost to any block in log quick on ep0 from 0.0.0.0/32 to any block in log quick on ep0 from 255.255.255.255/32 to any
The final component of this firewall is a "bastion firewall". The concept of a bastion firewall is a relatively simple one, and you'll find it in most texts on firewalls: One firewall machine has a live IP address and uses port forwarding to machines on a private subnet to distribute service provision and load. In this case, we'll discuss configuring the firewall so that httpd services are provided by 192.168.0.10, a server on the internal network, through the firewall with a live IP of 188.8.131.52. The reasoning for this can vary. For example, with a Windows NT server running a highly insecure SQL Server yet a relatively secure IIS Server (httpd), the firewall both protects the NT server and conserves live IP space by keeping it on the internal range. Assuming the firewall is otherwise already configured, adding the port forwarding to facilitate this is a simple change:
1. Edit /etc/ipnat.rules:
rdr ep0 184.108.40.206/32 port 80 -> 192.168.0.10 port 80
This line configures IPNAT such that any request to 220.127.116.11:80 is forwarded to 192.168.0.10:80, and 192.168.0.10's response to the request is forwarded back out.
ipnat to reflect this configuration change:
ipnat -CF /etc/ipnat.rules
As this article has demonstrated, the key functionality of a firewall lies in the configuration process and how well an individual firewall is set up for its conditions, not the particular firewall package used. The IPF/NAT system used by OpenBSD is extremely robust and is capable of anything that commercial competitors such as Checkpoint are. When implementing a firewall, remember -- it is a COMPONENT of network security, nothing more.
David Jorm has been involved with open source and security projects for several years, originally with OpenBSD and Debian GNU/Linux, now with the development team at wiretapped.net.
Read more OpenBSD Explained columns.
Discuss this article in the Operating Systems Forum.
Return to the BSD DevCenter.
Copyright © 2009 O'Reilly Media, Inc.