OpenBSD to the rescue
November 2017
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    
About
This site is an effort to share some of the base knowledge I have gathered through all this years working with Linux, FreeBSD, OpenBSD, Python or Zope, among others. So, take a look around and I hope you will find the contents useful.
Recent Entries
Recent Comments
Recent Trackbacks
Categories
OpenBSD (9 items)
BSD (0 items)
FreeBSD (19 items)
Linux (3 items)
Security (3 items)
Python (22 items)
Zope (13 items)
Daily (144 items)
e-shell (9 items)
Hacks (14 items)
PostgreSQL (3 items)
OSX (8 items)
Nintendo DS (0 items)
enlightenment (0 items)
Apache (3 items)
Nintendo Wii (1 items)
Django (24 items)
Music (12 items)
Plone (7 items)
Varnish (0 items)
Lugo (2 items)
Sendmail (0 items)
europython (7 items)
Cherokee (1 items)
self (1 items)
Nature (1 items)
Hiking (0 items)
uwsgi (0 items)
nginx (0 items)
cycling (9 items)
Networking (1 items)
DNS (0 items)
Archives

Syndicate this site (XML)

RSS/RDF 0.91

31 marzo
2008

OpenBSD to the rescue

or how to set up a quick firewall + ap solution...

This weekend I've been at my girlfriend parent's. The father of one of our close friends died last week, so we went there to be with her.

Anyway, we (specially my girlfriend) had a lot of work to be finished before monday, so we carried on our laptops. At home they had a cable modem and a computer connected to it. We needed Internet access, but that computer couldn't be disconnected from the Internet.

Luckily, I had there a soekris box with me, with OpenBSD 4.2 installed on it. On less than 15 minutes, I had a functional firewall, gateway and Wireless Access Point up and running, and sharing the Internet connection between two laptops and a desktop computer.

First, I got access to the soekris box from my MacBook using an usb-to-serial adapter and a null-modem cable.

OpenBSD/i386 (Arvak.e-shell.org) (tty00)

login:

Then I logged into the OpenBSD 4.2 system.

# uname -ap
OpenBSD Arvak.e-shell.org 4.2 GENERIC#375 i386 Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
#

Once there, I set up the configuration files for the network interfaces:

# cat /etc/hostname.vr1
dhcp
# cat /etc/hostname.vr2
inet 192.168.1.1 255.255.255.0 NONE
# cat /etc/hostname.ral0
inet 10.0.1.1 255.255.255.0 NONE mediaopt hostap mode 11g nwid OpenBSD_AP chan 11 -nwkey
#

being vr1 the interface connected to the cable modem (will get all the settings from a dhcp server), vr2 the interface connected to the windows computer and ral0 the interface that will act as the wireless access point link.

Next, I needed to set up a dhcp server for vr2, so the windows computer still get's the network settings from dhcp (as if it was still connected to the cable-modem). Easy, just opened /etc/dhcpd.conf and change the default settings a little bit:

shared-network LOCAL-NET {
        option  domain-name "codigo23.net";
        option  domain-name-servers 212.51.32.254, 212.51.33.110, 212.51.33.73;


        subnet 192.168.1.0 netmask 255.255.255.0 {
                option routers 192.168.1.1;

                range 192.168.1.32 192.168.1.127;
        }
}

I only added the domain name, and three nameserver ip addresses from the ISP.

After edited the dhcpd configuration I edited /etc/rc.conf to change that line:

dhcpd_flags=NO          # for normal use: ""

to

dhcpd_flags=""          # for normal use: ""

(so dhcpd will be started at boot time)

Now I was editing rc.conf, I decided to change one more line:

pf=NO                  # Packet filter / NAT

to

pf=YES                  # Packet filter / NAT

(to enable the OpenBSD packet filter)

Ok, next step was to activate ipv4 packet forwarding, changing one line in /etc/sysctl.conf:

#net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets

to

net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets

Fine, only one more step to go, I needed to set up PF, so I opened /etc/pf.conf and wrote some lines in it:

ext_if="vr1"
int_if="vr2"
wi_if="ral0"

set optimization normal
set block-policy return

scrub in on $ext_if all

nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $wi_if:network to any -> ($ext_if)

block in all

pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network

pass in quick on $wi_if from $wi_if:network to any
pass out quick on $int_if from any to $wi_if:network

pass out quick on $ext_if from ($ext_if) to any keep state

Which basically means map all packets coming from the wireless link and from the internal network to the Internet as if they were from the firewall itself. Block all packets coming from the Internet that weren't a reply to the outgoing packets.

After a reboot, everything was running smoothly, the windows computer didn't notice the change and both laptops had Internet access.

Well, I only had one problem, it seems like the house walls were made of some material that block the Wireless radio signal, so we found some problems to connect to the wireless access point on some points of the house.

As wiwi would tell, it's OpenBSD, it's easy!

Posted by wu at 00:16 | Comments (0) | Trackbacks (0)
<< Speedo most hidden secret | Main | Firefox3, ssl certs and nic.es >>
Comments
There are no comments.
Trackbacks
Please send trackback to:http://blog.e-shell.org/53/tbping
There are no trackbacks.
Post a comment