nat and pf on OpenBSD 4.6
So maybe you have an old computer and you’d like to put it to good use? How hard is it really to convert an old piece of shit machine to a fully fledged NAT box with a built in firewall?
Not too hard.
What you need
What you need to do this build are the following items:
- An old computer
- Two good network cards. I can’t emphasize this enough. Preferably Intel cards, 3com is fine too.
- Some CAT5 / 6 cable
- A switch (optional, if you want to have more than one machine behind the firewall)
- A USB memory stick, or a CD with OpenBSD 4.6 (4.7 is coming out in May)
- The ability to read and understand written instructions
Not too insurmountable, eh? No, despite the “eh”, i’m not from Canada.
Step one – Preparations
Make sure your old machine boots, and doesn’t show any obvious faults in POST. If unsure, run something like Memtest86 from a Ubuntu Live CD, or something, and any BIOS diagnostics that may be available. Make sure your disk doesn’t have bad sectors or that it doesn’t make any funny sounds. Trust, me you don’t want to do a re-install one week after, just because your disk bought the farm.At this stage, also make sure your machine is set to boot from the media you are using (CD or USB).
Prepare your boot media. This is what you’ll be using to install OpenBSD with. Instructions for installing from a USB stick are here (warning, this is a new method, and not very tested, so if you are not of the experimenting type, go with the CD) . Go to this page http://openbsd.org/ftp.html and pick a mirror closest to you. Once inside the FTP site, browse to 4.6 (or 4.7 when it’s out)/i386/ and download the file named install46 (or 47).iso
Burn this file to a CD. This file contains all the necessary files to install a working OpenBSD system, so you don’t have to put together too much yourself. It’s pretty small by today’s standards, so it’s fast to download.
Slide that CD/USB in to your old POS, and boot the machine from that. Pick Install when asked what to do. Choose to use the entire disk, and use recommended partition layout. Easiest at this point, and works fine for most installations.
Set network settings accordingly. One of your network cards should have an external address, usually given to you by your router, modem or whatever. The other should be in a private ip-block, such as 10.x.x.x, 172.16.x.x – 172.31.x.x or 192.168.x.x (when in doubt, check the openbsd installation guide), and finish the installation. It’s not as hard as it looks.
Once done, follow the instructions for booting into your new installation.
To use your machine as a NAT and packet filter, you need to set a few system variables, and edit a few configuration files. The instructions written here, are based on this brilliant guide, that i’ve always used as a base for my installations.
The basic steps are as follows:
- Edit the file /etc/sysctl.conf and change the value of net.inet.ip.forwarding to 1. This enables NAT.
- Check that PF is enabled (should be default in 4.6), by looking at /etc/rc.conf.local. If the file is empty, just make a line pf = YES
- If you want to have DCHP enabled, so you don't have to give out IP's to hosts by hand, enable dhcpd by following these instructions. Once it's done, it makes life easier, if you have to add and remove workstations a lot.
- At this point, i usually reboot, just to see that the services start on default.
- Here we start the "hardest" part; editing /etc/pf.conf. This file controls how the packet filter works, and is essential if you want to offer security to your network. An incorrectly configured pf.conf means evil guys, like my friend Bob, can gain access to your stuff.
- You can use my file as the reference, and change as necessary. You can download the file here. The lines are commented, so you can change it pretty easily. Just make sure, if you leave comments (or with everything for that matter) that everything fits on one line! Otherwise they will be interpreted as new lines, that is to say, new rules.
- After the file has been edited, load the file in to pf, by using the command pfctl -F ALL. This flushes all the previous rules and such. Load the new configuration file you just made by running pfctl -f /etc/pf.conf. If no errors are shown, your file is good to go. Otherwise it's usually a case of a typo her or there, which makes the file not parse correctly.
You’re done. Either let your clients get addresses by dhcp, or configure manually, depending on how you set up your interfaces and dhcpd. Test that traffic flows correctly.
OpenBSD is commonly considered to be one of the most secure operating systems on the planet. If you keep it patched, and don’t fuck up configurations, there is very little chance of your box getting compromised.
Any questions, feel free to ask. I’m by no means an OpenBSD guru, but i have been using it for this particular purpose for a few years now.
Footnote: This is what’s currently doing all of the above: