trmg

My OpenBSD Firewall

6 posts in this topic

I've been debating on which direction to go with regards to my perimeter firewall on my home network.  In talking to systems_glitch in IRC he suggested that I give OpenBSD a go (he probably regrets this as I've been bugging this crap out of him about it).  I was a little gun shy about it at first since it would be my first experience with pf, and even OpenBSD itself, but the *NIX nerd in me decided to dive in head first.  Although it's only been a couple of days, I am very happy with the setup!

I used an old Dell OptiPlex 755 inherited from the ewaste pile at $dayjob.  It's got an Intel Core2 Duo E650 2.33 GHz CPU, 8 GB RAM, a 128 GB SSD, gigabit NIC onboard.  I happened to have an Intel PRO/1000 quad PCIe NIC in my stash which other than needing a half-height bracket (ordered and en-route from good ol' China) works beautifully.  Until the bracket arrives I'll just run it with the cover off.  The machine could use a nice does of compressed air, too.

Performance wise I am very impressed.  I was leary of a box like this being able to handle gigabit throughput between firewall zones, but this box handles it like a champ.  CPU usage when doing scp between two hosts on separate zones is maybe 30% peak.  I have enabled some additional logging since this testing so I suspect CPU usage will be higher...I plan to test this soon.

Right now I'm using the onboard NIC as the "WAN" interface and a single interface on the PRO/1000 card for an inside zone.  Eventually I'm going to put all 4 of the PRO/1000 interfaces in a LACP bond and set up multiple zones using VLANs, but that is dependent on another network project of mine that is still in progress.

Before this I was using a Ubiquiti EdgeRouter PoE.  I can tell you hands down I prefer pf & OpenBSD wayyyy more over EdgeOS/VyOS.

If anyone has any tips/tricks on configuring pf security/performance wise, I am all eyes.  My config for reference (it's fairly basic right now): https://ghostbin.com/paste/sjfav

And, the obligatory pics!



Id85yElh.jpg





sDrdyBjh.jpg

1

Share this post


Link to post
Share on other sites

Excellent to have another "convert" :P

 

Interestingly, trmg found the likely solution to a problem I've been having for years: whenever I dial certain numbers from one of my Asterisk servers to the old NPA-NXX for Albany, NY cell phones, audio will drop at exactly 15m30s every time. If I say off-hook long enough, Asterisk will eventually terminate the call. This is only when I originate, and only to that NPA-NXX. I'd assumed it was an issue with my SIP provider, and since it affects one person I call every now and then I hadn't looked into it any further. But, trmg was running into the same issue! I'll let him confirm but I believe it was this line of his pf.conf that got it straightened out:

 

match out on egress inet proto udp from $pbx to any nat-to (egress:0) static-port

 

Where $pbx is an alias for the internal IPv4 address of his PBX.

0

Share this post


Link to post
Share on other sites
On 5/13/2018 at 2:20 PM, systems_glitch said:

Excellent to have another "convert" :P

 

Interestingly, trmg found the likely solution to a problem I've been having for years: whenever I dial certain numbers from one of my Asterisk servers to the old NPA-NXX for Albany, NY cell phones, audio will drop at exactly 15m30s every time. If I say off-hook long enough, Asterisk will eventually terminate the call. This is only when I originate, and only to that NPA-NXX. I'd assumed it was an issue with my SIP provider, and since it affects one person I call every now and then I hadn't looked into it any further. But, trmg was running into the same issue! I'll let him confirm but I believe it was this line of his pf.conf that got it straightened out:

 


match out on egress inet proto udp from $pbx to any nat-to (egress:0) static-port

 

Where $pbx is an alias for the internal IPv4 address of his PBX.

 

So far so good!  I have yet to have media suddenly disappear on me in the middle of a call.

0

Share this post


Link to post
Share on other sites

Posted (edited)

The half height bracket I ordered for the NIC arrived earlier this week.  Had a few minutes to install it today.  Also took the opportunity to give the thing a nice dose of compressed air.  She's now complete...for now at any rate. :-D  The only other addition I am going to make is adding a second (I guess third counting onboard) NIC when I subscribe to a second ISP.  I eventually want to compare the local cable provider to the current VDSL service I have to see if it's worth switching.

 

Actually, I need to set up a serial console.  Then she'll be complete.

 

xCR1p7gl.jpg  hZLDvoBl.jpg

 

bU5V4NBl.jpg

Edited by trmg
0

Share this post


Link to post
Share on other sites

Posted (edited)

Wow, setting up a serial console in OpenBSD is really freaking simple.  Here's how you do it on amd64 systems (summarized from https://www.openbsd.org/faq/faq7.html#SerCon):

 

Edit /etc/ttys and change

tty00   "/usr/libexec/getty std.9600"   unknown off

to

tty00   "/usr/libexec/getty std.9600"   vt220   on  secure

vt220 is the terminal emulation type (there are others if you which to experiment), on obviously enables console output to the tty interface, and secure allows root login from the tty.

 

Next, you want to enable the serial console with the boot loader.  It's literally one line to do this:

echo "set tty com0" >> /etc/boot.conf

Connect your favorite null modem cable to the serial interface, set your terminal application (or actual hardware terminal) to 9600 baud, 8N1, flow control none/off, reboot the box, and you should have serial console awesomeness.

 

Edited by trmg
0

Share this post


Link to post
Share on other sites

I love that doing low-level tasks is just as simple as it's always been -- apparently getting a serial console set up with systemd is a real chore. I haven't tried it, but Sark has and apparently can *not* get the configuration to be persistent!

 

Router looks good! It's nice to have the right bracket instead of just cutting the top off with a hacksaw :P

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now