BSD ProjectX

Invisible-Bridged Firewall

How many times have you tried to protect or separate two segments of your LAN or two contiguous LANs? Or how many times you haven’t on a NAT possibility? Maybe you can find the answers to your questions in this tutorial.

I used the latest release of OpenBSD (5.0) with PF. My basic installation included only bsd bsd.rd base50.tgz etc50.tgz man50.tgz (just for doubts 😀 ) It took me 10 minutes to install and configure it. (Here is a screenshot about my installation)

BSD Firewall

First step: Configuration files

We need to uncomment the two lines on:

/etc/sysctl.conf

In oder to enable IP Forwarding,

net.inet.ip.forwarding=1

And, if you need to enable IPv6, uncomment the following line;

net.inet6.ip6.forwarding=1

Check in your

/etc/rc.conf

if PF is like this,

pf=YES.

Then reboot your system.

Second step: Configure your Firewall bridge

A bridge is a link between two or more separate networks. Unlike a router, packets transfer through the bridge “invisibly” — logically, the two network segments appear to be one segment to nodes on either side of the bridge. The bridge will only forward packets that have to pass from one segment to the other, so among other things, they provide an easy way to reduce traffic in a complex network and yet allow any node to access any other node when needed.

To make up a bridge we have to prepare our interfaces: In OpenBSD, interfaces are named for the type of card, not for the type of connection. So we cannot find eth0 or something like this but we find names like fxp0 or pcn0 etc.

First we have to delete all conf on our interfaces:

#ifconfig fxp0 delete

#ifconfig pcn0 delete

then

#ifconfig fxp0 up

#ifconfig pcn0 up

and create a bridge,

#ifconfig bridge0 create

adding our interfaces

#ifconfig bridge0 add fxp0 add pcn0 up

at this point we can check our bridge, we need to connect two PC’s each for interface and ping one each other. Just remember Pc’s must be on the same mask and if all is well let’s go to activate the invisible-firewall!

First we make permanent the modifications below:

#echo up > /etc/hostname.fxp0

#echo up > /etc/hostname.pcn0

#echo “add fxp0 add pcn0 up” > /etc/hostname.bridge0

then our first roules on PF in /etc/pf.conf:

#vi /etc/pf.conf

write at top to enable all on the first interface

pass all on fxp0

pass all on pcn0

save and exit then

#pfctl -f  /etc/pf.conf

now you can see what appends on your bridge:

#tcpdump -nei fxp0

or

#tcpdump -nei pflog0

Now you can add all roules in /etc/pf.conf: block some protocols, destination/source IP or/and Ports… block all rst packets… or, maybe, you need to sniff all traffic… but this is not my purpose.

One Comment

Leave a Reply