Given the similarities between OpenBSD and FreeBSD, one would assume that the gateway configuration would be nearly identical for each of them. However, due to the underlying differences in kernel configuration and firewall structure, the implementation is surprisingly different in FreeBSD. The end result, however, is the same; a secured and efficient gateway machine protecting your wireless network.
Like FreeBSD, we will use dc0,
dc1, and dc2 as the network
interfaces. These correspond to the common
Netgear and Linksys cards
sold in most stores. Replace these with the names you have created
for the three interfaces.
Your layer 3 gateway is your primary line of defense from outside attackers. It can also be a valuable threat in keeping wireless attackers at bay. The gateway effectively controls the keys to your networked kingdom. Due to the central role the gateway plays in your network, special care should be taken throughout the installation and configuration process. A hole left in your gateway is a hole into your network.
When installing OpenBSD, make sure you install the kernel source
code. Also, unless absolutely necessary, do not install the X Windows
system. There are many SUID binaries installed at part of X and
several programs bind to externally reachable ports on your machine.
Not installing X Windows greatly simplifies the maintenance of your
machine. Also, be sure to have a sufficiently large /var
file system to accommodate your logging requirements. 500
megabytes should be reasonable for a DSL-connected host.
Once the
operating system is installed, examine the OpenBSD web site for
security issues with your release. Links to various security
vulnerabilities can be found at http://www.openbsd.org/security.html. Follow
the instructions in the advisories to apply any required patches. If
there are numerous vulnerabilities to be patched on your system, you
may want to update your system to the -stable
branch, otherwise known as the “patch
branch.” The -stable branch of
your release is a part of the OpenBSD release cycle which keeps the
latest security and reliability patches in an already released
version of the operating system. For more information on the
-stable branch and upgrading to it, see
httphttp://www.openbsd.org/stable.html.
The kernel must be configured for use as a gateway. The kernel should be stripped of any unneeded options or devices. This not only adds to the security of the kernel but also keeps the kernel small and fast. For complete details on compiling a secure OpenBSD kernel, see Chapter 6.
Once the kernel has been locked down, gateway-specific options need to be added to the kernel configuration. Firewall support is required to allow for stateful packet filtering. Also, packet-forwarding support must be added to allow the gateway to properly route packets between interfaces. Finally, IPsec support should be added to allow for VPN connections from the wireless network. Add the following lines to the architecture-independent configuration file:
option GATEWAY # packet forwarding option IPSEC # IPsec pseudo-device pf 1 # packet filter pseudo-device pflog 1 # pf log if
Compile and install your new kernel and verify the host acts properly
after a reboot. If the gateway is going to connect to the wireless
network using HostAP or a wireless network card
instead of an Ethernet connection to the AP, make sure the kernel has
support for the wireless drivers selected and has the proper options
set. The options are described in Section 6.2.1 and
the HostAP instructions of Chapter 9.
Just as with a wireless client, unneeded services should be disabled to reduce the risk of running vulnerable services. For a complete discussion of removing services under OpenBSD, see Section 6.3.2.
Once unneeded services have been disabled, the remaining services and
interfaces need to be configured. First, all the interfaces must be
configured and a default route added. OpenBSD uses
hostname.<interface> files to store
information about the configuration of each interface. This
hostname.dc0 file represents our external
interface. During boot time, this file will give the interface an IP
address and set our default route:
# Example hostname.dc0 inet 192.0.2.240 255.255.255.0 192.0.2.255 !route add default 192.0.2.1
Simple hostname.dc1 and
hostname.dc2 files configure the other
interfaces:
# Example hostname.dc1 inet 192.168.0.1 255.255.255.0 192.168.0.255 # Example hostname.dc2 inet 192.168.1.1 255.255.255.0 192.168.1.255
It is helpful to place external labels on the interfaces to keep track of which cable goes in where. With three interfaces on a host, it is easy to get confused as to which interface is the external and which is the trusted internal. Putting a label on the card now will save trouble down the road.
By default, an OpenBSD installation does not allow packets to be
forwarded between interfaces. Packet forwarding must be turned on at
boot time by adding the following line to
/etc/sysctl.conf:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
If you do not want to wait for a reboot, you can turn on IP forwarding by hand with the following command:
# sysctl -w net.inet.ip.forwarding=1
Like FreeBSD, OpenBSD has different
kernel security levels. The security levels range from -1 (least
secure) to 2 (most secure). Ideally, you should run your gateway at
secure level 2 once it is in production. When at secure level 2, the
packet filter rules cannot be changed at runtime, and the clock
cannot be set backwards. Secure level 2 may be a difficult level to
run at while configuring a host, so running at level 1 until the host
is deployed is advisable. To set the secure level to 2, add the
following line to /etc/sysctl.conf:
kern.securelevel=2
Finally, the packet filter must be enabled in
/etc/rc.conf by adding the following line:
pf=YES # Packet filter / NAT
Reboot the host one final time to make sure the host is responsive and capable of being configured.