BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement

BSD Content

All Articles

Big Scary Daemons

Free BSD Basics

OpenBSD Explained

Securing Small Networks


BSD Topics

Administration

Application Development

Archiving

Community

Compatibility Issues

Email

Firewalls

FreeBSD

Getting Started

Kernel

NetBSD

Networking

OpenBSD

Security

Web Design and Development


ONLamp Subjects

Linux

Apache

MySQL

Perl

PHP

Python

BSD


Building an OpenBSD Live CD
Pages: 1, 2

Make the ISO Image

In the /livecd directory, run the following all on one command line:



# mkisofs -b cdrom36.fs -c boot.catalog -R -v -o /tmp/livecd.iso /livecd

After another wait, you'll have a burnable ISO image waiting for you as /tmp/livecd.iso.

Burn the CD

Use cdrecord to burn the ISO image to CD:

# cdrecord -v speed=24 dev=/dev/rcd0c -data /tmp/livecd.iso

OpenBSD Live CD Firewall

I've been using an OpenBSD Live CD for NAT/firewall at school for a while now. The setup is actually quite simple. My internal and external network interfaces are fxp0 and fxp1, respectively. To active PF, and have it start automatically on boot-up, edit /etc/rc.conf.local file and add the line pf=YES.

To enable IP forwarding, make sure that net.inet.ip.forwarding=1 is in /etc/sysctl.conf.

Finally, put your NAT/firewall rules in /etc/pf.conf:

int_if = "fxp0"
ext_if = "fxp1"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
          
# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
   port 8021

# filter rules
block all

pass quick on lo0 all

# provide unrestricted Internet access to internal computers
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# allow the following incoming traffic to the firewall
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

These rules NAT all traffic from the internal network to the external network and redirect all internal traffic to port 21 (FTP) to port 8021 on the gateway. They also protect against unwanted external traffic coming in, while allowing unrestricted traffic from outgoing internal traffic. It's a good starting place for secure access that you can modify as you need.

Best yet, it's on a CD, so I can have it with me wherever I go.

Resources

Kevin Lo is an OpenBSD developer and a teacher at Kaiping Vocational School.

Return to the BSD DevCenter.

Recommended for You

Sponsored by: