SLUG

OpenBSD - Redundant & Transparent Firewalls — My talk on redundant & transparent firewalls with OpenBSD

SYNOPSIS

OpenBSD - Redundant & Transparent Firewalls

Building redundant & firewalls with OpenBSD a talk with practical demonstrations.

DESCRIPTION

This talk is going to split into three parts:

Brief History of OpenBSD

In 1995 Theo de Raadt forked OpenBSD from NetBSD. The project has an emphasis on correctness, security, and portability. The project has a bi-annual release schedule - on 1 May and 1 November each year there is a new stable release.

http://mdocml.bsd.lv/openbsd_projects.html lists software projects that are developed or maintained by the OpenBSD project - OpenSSH is the most prominent one.

In 2000 I was using FreeBSD to run a LAMP server (FAPP actually FreeBSD Apache PostgreSQL PHP) as development environment that mirrored the Deakin University's production environment, with Oracle replaced with PostgreSQL. When a computing student who was doing some work for us gave me a disc with OpenBSD on.

It's been downhill, ever since then :~) I've been using OpenBSD as my main desktop since 2001 (http://marc.info/?l=openbsd-www&m=101010739531791) and now 14 years later there is another desktop user: http://zacbrown.org/2015/01/18/openbsd-as-a-desktop.html

My reasons for using OpenBSD are:

The firewall software on OpenBSD is PF (Packet Filter) this arrived in OpenBSD in 2001 and was part of OpenBSD 3.0 released on 1 November 2001 - it was a BSD Licensed replacement for ipf.

CARP (Common Address Redundancy Protocol) was added in OpenBSD 3.5 released on 1 May 2004 - this allows us to created redundant firewalls, which I will be demonstrating later.

Transparent Firewalls

In this demo I'm using a PC Engines Alix 2D1 - it's i386 with 433Mhz Geode Processor, 128Mb RAM, and 1Gb Compact Flash card for storage. Importantly it has 3 ethernet interfaces which makes the set up easy.

In OpenBSD the interface names follow the chipset - so the three wired interfaces are vr0, vr1 and vr 3 (VIA Rhine Ethernet device).

This firewall is going to use a transparent bridge to forward packet between the vr0 and vr2 interface, thus on machines connected to the internal network the firewall will appear invisible. I could alias an IP address to one of those interfaces, but as this device has three interfaces I will just configure the vr1 as a management interface.

So I'm going to log in and show the set up.

Allow forwarding of packets between interfaces.

# sysctl net.inet.ip.forwarding=1

Set up the external interface

# ifconfig vr0 lladdr random up description External

Set up the internal interface

# ifconfig vr2 lladdr random up description Internal

Set up the bridge

# ifconfig bridge0 add vr0 add vr2 up

At this point we can edit the firewall by editing /etc/pf.conf

Redundant Firewalls

In this demo I will show how using carp and pfsync we can create a pair of firewalls that we provide us with redundancy and failover.

CARP provides the address failover by creating a virtual interface with the specified IP address.

pfsync allows the states of the firewalls to be kept in synchronisation.

I will be using two Soekris Net4501 for my redundant firewalls. The black ethernet cables connect sis0 interfaces to external network. The yellow ethernet cables connect the sis1 interfaces to the internal network. The red network cables connect sis2 interfaces to the management network - which is separate to the other networks and is used for passing the pfsync traffic to keep the state tables on both firewalls in sync.

I will now demonstrate how it works.

Firewall Configs (slugfw1)

slugfw1:slug ~> cat /etc/hostname.sis0

inet 192.168.1.121 255.255.255.0

rtsol

description External Interface

slugfw1:slug ~> cat /etc/hostname.sis1

inet 192.168.20.1 255.255.255.0

rtsol

description Internal Interface

slugfw1:slug ~> cat /etc/hostname.sis2

inet 10.1.5.10 255.255.255.0

rtsol

description Management Interface

slugfw1:slug ~> cat /etc/hostname.carp0

vhid 1

pass scotlug1

carpdev sis0

192.168.5.90 netmask 255.255.255.0

slugfw1:slug ~> cat /etc/hostname.carp1

vhid 2

pass scotlug1

carpdev sis1

192.168.20.5 netmask 255.255.255.0

slugfw1:slug ~> cat /etc/hostname.pfsync0

up

syncdev sis2

Firewall Configs (slugfw2)

$cat /etc/hostname.sis0

inet 192.168.1.222 255.255.255.0

rtsol

description External Interface

$ cat /etc/hostname.sis1

inet 192.168.20.2 255.255.255.0

rtsol

description Internal Interface

$ cat /etc/hostname.sis2

inet 10.1.5.5 255.255.255.0

rtsol

description Management Interface

$ cat /etc/hostname.carp0

vhid 1

pass scotlug1

carpdev sis0

advbase 1

advskew 100

192.168.5.90 netmask 255.255.255.0

$ cat /etc/hostname.carp1

vhid 2

pass scotlug1

carpdev sis1

advbase 1

advskew 100

192.168.20.5 netmask 255.255.255.0

$ cat /etc/hostname.pfsync0

up

syncdev sis2

To check the status of each firewall we do:

slugfw1:slug ~> ifconfig carp

carp0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500

lladdr 00:00:5e:00:01:01

priority: 0

carp: MASTER carpdev sis0 vhid 1 advbase 1 advskew 0

groups: carp

status: master

inet 192.168.5.90 netmask 0xffffff00 broadcast 192.168.5.255

carp1: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500

lladdr 00:00:5e:00:01:02

priority: 0

carp: MASTER carpdev sis1 vhid 2 advbase 1 advskew 0

groups: carp

status: master

inet 192.168.20.5 netmask 0xffffff00 broadcast 192.168.20.255

pfsync0: flags=20041<UP,RUNNING,NOINET6> mtu 1500

priority: 0

pfsync: syncdev: sis2 maxupd: 128 defer: off

groups: carp pfsync

I will now set up the laptop on the internal network to stream internet radio, and run telnet towel.blinkenlights.nl in a terminal.

Time for the axe treatment...

AUTHORS

Fred Crowson

CAVEATS

No slugs were harmed in this talk.

BUGS

Slugs don't have bugs they have slime.

REFERENCES

HISTORY

This talk was given on Thursday 22 January 2015 at the Electron Club, CCA, Glasgow, for ScotLUG.